Tailscale (and Caddy as a sidecar) Reverse Proxy #5439

flll · 2024-10-18T14:16:19Z

flll
Oct 18, 2024
Collaborator

🌐 Nextcloud All-in-One with Tailscale Integration Guide

⚠️ Disclaimer: This configuration might not work 100% correctly yet. Improvements and contributions are very welcome!

📋 Overview

This comprehensive guide walks you through integrating Nextcloud All-in-One (AIO) with Tailscale, using Caddy as a reverse proxy. Since Tailscale currently only allows communication with localhost (127.0.0.1), we use a sidecar container with Caddy to communicate with AIO.

✨ Key Benefits

🔒 Enhanced Security with ACL usage within Tailnet
🔐 ACME Certificate Issuance without port forwarding (Tailnet only)
🌍 External Exposure possibility using Tailscale's serve.json configuration

🚀 Step 1: Tailscale Configuration

Before setting up Docker containers, you need to properly configure Tailscale:

🏷️ 1.1 Copy Your Tailnet Domain Name

Navigate to Tailscale DNS Settings
Copy your domain name (format: {tailnetdomain}.ts.net)
Save this for later use

🔒 1.2 Enable HTTPS Certificates

Go to Tailscale DNS Settings
Enable HTTPS certificates (currently disabled by default in Tailscale)

🏷️ 1.3 Create Nextcloud Tag in ACL

Access Tailscale ACL Editor
Add the nextcloud tag in the tagOwners section
example:

"tagOwners": {
    "tag:nextcloud": ["autogroup:admin"],
},

🔑 1.4 Generate OAuth Client

Navigate to Tailscale OAuth Settings
Click "Generate OAuth client"
Select "Auth Keys: Write"
⚠️ Important: Make sure to select the nextcloud tag
- ACL tags must be defined in ACL before this step
Click "Generate Client"

OAuth Scopes Configuration:

✅ All write permissions under Devices
✅ Make sure to select the nextcloud tag
🔧 If it doesn't work properly, test with All scope

Copy the generated credentials (use later as TS_AUTH_KEY environment variable)

💡 Thanks to @VatsalJagani for this configuration

⚙️ Step 2: Environment Variables Setup

Configure the following environment variables for your setup:

TS_HOSTNAME=nextcloud                          # Your hostname in Tailnet
NC_DOMAIN=nextcloud.your-tailnet.ts.net        # Format: {TS_HOSTNAME}.{tailnetdomain}.ts.net
TS_AUTH_KEY=tskey-client-kXGGbs6CNTRL          # OAuth client key (recommended)
TS_EXTRA_ARGS=--advertise-tags=tag:nextcloud   # Required for OAuth client key usage

Note

Important Configuration Notes:

We will not create a .env file, but instead write directly into the compose.yml file
If you do create a .env file, compose will automatically read it
Ensure NC_DOMAIN follows the correct format: {TS_HOSTNAME}.{tailnetdomain}.ts.net
When using OAuth client key, set tags in TS_EXTRA_ARGS and define them in ACL

📖 For more detailed information: Docker Tailscale Guide

🐳 Step 3: Docker Compose Configuration

Create a compose.yml file with the following content. Replace environment variables with your actual values.

compose.yml

services:
  nextcloud-aio-mastercontainer:
    image: ghcr.io/nextcloud-releases/all-in-one:beta
    init: true
    restart: always
    container_name: nextcloud-aio-mastercontainer # This line cannot be changed
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - nextcloud-aio
    ports:
      - 0.0.0.0:8080:8080
    environment:
      APACHE_PORT: 11000
      APACHE_IP_BINDING: 127.0.0.1
      SKIP_DOMAIN_VALIDATION: true

  caddy:
    build:
      context: .
      dockerfile: Caddy.Dockerfile
    depends_on:
      tailscale:
        condition: service_healthy
    restart: unless-stopped
    environment:
      NC_DOMAIN: nextcloud.your-tailnet.ts.net # Change to your domain ending with .ts.net
    volumes:
      - type: bind
        source: ./Caddyfile
        target: /etc/caddy/Caddyfile
      - type: volume
        source: caddy_certs
        target: /certs
      - type: volume
        source: caddy_data
        target: /data
      - type: volume
        source: caddy_config
        target: /config
      - type: volume
        source: tailscale_sock
        target: /var/run/tailscale/ # Mount the volume for /var/run/tailscale/tailscale.sock
        read_only: true
    network_mode: service:tailscale

  tailscale:
    image: tailscale/tailscale:v1.82.0
    environment:
      TS_HOSTNAME: nextcloud                        # Your tailnet hostname
      TS_AUTH_KEY: tskey-client-kXGGbs6CNTRL        # Your OAuth client key
      TS_EXTRA_ARGS: --advertise-tags=tag:nextcloud # Required for OAuth client
    init: true
    healthcheck:
      test: tailscale status --peers=false --json | grep 'Online.*true'
      start_period: 3s
      interval: 1s
      retries: 3
    restart: unless-stopped
    devices:
      - /dev/net/tun:/dev/net/tun
    volumes:
      - type: volume
        source: tailscale
        target: /var/lib/tailscale
      - type: volume
        source: tailscale_sock
        target: /tmp # Mount entire /tmp folder to access tailscale.sock
    cap_add:
      - NET_ADMIN
    networks:
      - nextcloud-aio

volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer # This line cannot be changed
  caddy_certs:
  caddy_config:
  caddy_data:
  tailscale:
  tailscale_sock:

networks:
  nextcloud-aio:
    name: nextcloud-aio
    driver: bridge
    enable_ipv6: false
    driver_opts:
      com.docker.network.driver.mtu: "1280" # Can be set to 9001 for jumbo frames
      com.docker.network.bridge.host_binding_ipv4: "127.0.0.1" # Security hardening
      com.docker.network.bridge.enable_icc: "true"
      com.docker.network.bridge.default_bridge: "false"
      com.docker.network.bridge.enable_ip_masquerade: "true"

Important

🔧 Before Setup: Make sure to replace NC_DOMAIN, TS_HOSTNAME, TS_AUTH_KEY, and TS_EXTRA_ARGS with your actual values!

📝 Step 4: Caddy Configuration Files

Create the necessary Caddy configuration files in your current directory:

4. Create Caddyfile and Caddy.Dockerfile

Create a Caddyfile in the current directory with the following content:

Caddyfile

{
    layer4 {
        127.0.0.1:3478 {
            route {
                proxy {
                    upstream nextcloud-aio-talk:3478
                }
            }
        }
        127.0.0.1:3479 {
            route {
                proxy {
                    upstream nextcloud-aio-talk:3479
                }
            }
        }
    }
}

https://{$NC_DOMAIN} {
    reverse_proxy nextcloud-aio-apache:11000 {
        header_up X-Forwarded-Proto "https"
        header_up Host {host}
    }
}

http://{$NC_DOMAIN} {
    reverse_proxy nextcloud-aio-apache:11000 {
        header_up X-Forwarded-Proto "http"
        header_up Host {host}
    }
}

Note

🚨 Do NOT manually replace the {$NC_DOMAIN} variable. It will be automatically populated with the value from your environment variables.

🐳 Caddy.Dockerfile

Create a Caddy.Dockerfile with the following content:

FROM caddy:2.9.1-builder-alpine AS builder
RUN xcaddy build --with github.com/mholt/caddy-l4@87e3e5e2c7f986b34c0df373a5799670d7b8ca03

FROM caddy:2.9.1-alpine
COPY --from=builder /usr/bin/caddy /usr/bin/caddy

🎯 Step 5: Deploy Nextcloud AIO

Follow these steps to set up and access your Nextcloud instance:

🚀 Deployment Steps

Start the containers:

docker compose up --build --pull always --wait

Monitor the logs:
```
docker compose logs --follow
```
Access the AIO interface:
- Navigate to: https://ip.address.of.server:8080/
- Example: https://192.168.0.2:8080/
Configure your domain:
- Submit your configured $NC_DOMAIN
Provision Nextcloud:
- Follow the AIO setup wizard
Access your Nextcloud:
- Navigate to: https://$NC_DOMAIN/
- Example: https://nextcloud.your-tailnet.ts.net/
🎉 Setup Complete!

🔧 Troubleshooting

❗ If It Doesn't Work

Try the following solutions:

🔓 Try setting OAuth permissions to ALL
🔥 If it times out, check your firewall logs
🔄 We recently updated docker-compose.yml, so please try again
🪟 If you're using Windows, try adjusting the Automatic Metric Setting

🔄 Docker Reset Commands

If nothing else works, use these commands to completely reset your setup:

Caution

⚠️ DANGER ZONE: Running these commands will reset ALL Docker containers, volumes, networks, etc.!
Only use this as a last resort.

🔴 CLICK TO REVEAL RESET COMMANDS

# Stop and remove all Nextcloud containers and volumes
docker compose down --volumes
docker rm -f $(docker ps -aq --filter name=^nextcloud-aio --filter name=^nextcloud_aio)
docker volume rm $(docker volume list -q --filter name=^nextcloud-aio --filter name=^nextcloud_aio)
docker network remove nextcloud-aio

# Optional: Remove data directories (uncomment if needed)
#sudo rm -rf /mnt/ncdata
#sudo rm -rf /mnt/hdd_toshiba/ncdata

# Restart system services
sudo systemctl daemon-reload
sudo systemctl restart NetworkManager
sudo systemctl restart network
sudo systemctl restart docker

🔍 Post-Reset Verification

After force stopping, verify that the Nextcloud entry is no longer visible in the Tailscale Admin Console:

Important Steps:

❌ Delete the Tailscale machine entry before proceeding with Step 5
🔄 Restart your client PC to clear any Tailscale route cache

🙏 Acknowledgments

Special thanks to frazar for valuable advice and contributions.

📅 Latest Updates

2025-08-05: Added Tailscale Admin Console configuration instructions with 絵文字デコレーション
2025-05-03: Changed the tag to beta, updated command to docker compose up --pull always
2025-04-25: Changed Caddy container network mode to service:tailscale
2025-04-25: Added headers to Caddyfile configuration

darkgrid · 2024-10-22T06:01:20Z

darkgrid
Oct 22, 2024

hi ,
i dont know much , where do we need to make the environment file and the caddy file

13 replies

margotwolfe Feb 3, 2025

log file is pretty long, gonna attach it below. i'm fairly new to this so I'm not 100% sure what to make of it.
output.log

frazar Feb 3, 2025

I believe you have a typo in your Caddyfile. Can you add $ before NC_DOMAIN like shown in the guide?

margotwolfe Feb 3, 2025

You are correct, I had missed the $ before NC_DOMAIN. now that I have that fixed, is it as simple as stopping the containers and restarting them, or is there a different process i should do?

frazar Feb 3, 2025

This should be sufficient

docker compose down 
docker compose up

margotwolfe Feb 3, 2025

awesome, was able to close it down and restart it, Caddy is happier now, but I'm still having DNS issues. Going thru the docker resource about it, but not 100% how i will go about fixing it.

edit: realizing the log is throwing a fit about bridge-nf-call-iptables is disabled and bridge-nf-call-ip6tables is disabled
I am using nftables and firewalld on the host machine if that context is important

flll · 2024-10-22T09:52:16Z

flll Oct 22, 2024
Collaborator Author

Yes, I've been running this setup for a few weeks now, and
so far I've been able to use Talk, Office, and other features without any errors.

szaimen · 2024-10-22T09:53:35Z

szaimen Oct 22, 2024
Maintainer

Nice!

szaimen · 2024-10-22T09:54:03Z

szaimen Oct 22, 2024
Maintainer

See #5460

A4alli · 2024-10-22T15:49:38Z

A4alli
Oct 22, 2024

This is amazing @flll , I am trying to achieve the same since a month. But I am not using docker. Can you KINDLY make a script like the one for nextcloud with nginx as server, caddy as reverse proxy, tailscale and cloudflare as DNS.
I have posted in nextcloud help desk today. Have a look to my conf,config,PHP,nginx, caddy files, https://help.nextcloud.com/t/nextcloud-tailscale-cloudflare-as-dns-and-caddy-as-reverse-proxy/207463 please

regards

7 replies

A4alli Oct 25, 2024

Thankyou for the kind advice. I will go for it on Monday. Well I thought that I already am in lcx,doesn't it mean the same docker hardening?

A4alli Oct 25, 2024

Can you please enlighten the disadvantage?

A4alli Oct 25, 2024

with that AIO, can caddy be installed on different separate container/ VM . ( for example: caddy in a separate proxmox LCX container and nextcloud AIO in a separate Proxmox VM. but both VM and LXC are on same network but different subnets. Is this possible?

flll Oct 25, 2024
Collaborator Author

with that AIO, can caddy be installed on different separate container/ VM . ( for example: caddy in a separate proxmox LCX container and nextcloud AIO in a separate Proxmox VM. but both VM and LXC are on same network but different subnets. Is this possible?

I would recommend using Kubernetes or Docker Swarm.
If you're using compose, using Swarm would provide compatibility.
I'm not familiar with this guide, so please try it yourself.

flll Oct 25, 2024
Collaborator Author

Can you please enlighten the disadvantage?

Docker-based deployment has very few disadvantages.
The only real drawback is the learning curve required to master Docker.

abe-101 · 2024-10-23T03:42:18Z

abe-101 Oct 23, 2024

I used the nginx.conf from the projects readme (link in my original comment)

What is nextcloid.conf? Never heard of that

I simply used the docker compose from the README (I had to comment and uncomment some lines)

A4alli · 2024-10-23T19:14:52Z

A4alli Oct 23, 2024

apology, it's nextcloud.conf.

flll · 2024-10-24T08:41:28Z

flll Oct 24, 2024
Collaborator Author

Is your configuration something like this?
[tailnet]-->[host-tailscaled]-->[nginx-ssl]-->[nextcloud-aio-apache]-->[nextcloud]
When using Tailscale VPN, the connection is always encrypted, so encryption by Nginx is redundant and unnecessary. Double encryption adds extra load, which is not recommended. Let's leave the internal communication unencrypted and rely on Tailscale for security.
For external access, you can use Tailscale's funnel feature to expose your service to the internet, complete with SSL certificates.
Also, even if you have Tailscale deployed on the host server, you can still deploy Tailscale in Docker containers.
This guide is about creating a new hostname within the Tailnet and making it accessible from within the Tailnet.
@abe-101

A4alli · 2024-10-24T12:22:22Z

A4alli Oct 24, 2024

@flll what about my case?

flll · 2024-10-24T12:32:38Z

flll Oct 24, 2024
Collaborator Author

@A4alli
If I were to comment, I might suggest changing the resolver from 1.1.1.1 1.0.0.1 to 100.100.100.100, or note that the PHP handler isn't specified (though it might be in /etc/nginx/conf.d/.conf files). Otherwise, the nginx.conf looks fine.
If you can flexibly configure Nextcloud in detail and maintain it yourself, installing directly on the host can be a good approach. However, it's a legacy method, so migrating to a container-based setup is also a viable option.
The deployment process for nextcloud-aio is thoroughly documented in the AIO repository. Why not give it a try?

abishekmuthian · 2024-10-24T15:00:38Z

abishekmuthian
Oct 24, 2024

Thank you for your work @flll .

But no matter how many times I try the procedure, the hostname I give in the compose environment doesn't get created in the tailscale and rather a random ephemeral hostname is created after manually authenticating using the url in the log.

tailscale-1                    | To authenticate, visit:
tailscale-1                    | 
tailscale-1                    | 	https://login.tailscale.com/a/6ff94430152e1
tailscale-1                    | 


tailscale-1                    | 2024/10/24 14:53:12 health(warnable=no-derp-connection): error: Tailscale could not connect to the relay server with ID '0'. Your Internet connection might be down, or the server might be temporarily unavailable.

My Internet and Network connection is fine.

But I cannot log into the nextcloud instance even with the the randomly generated hostname in my tailnet.

18 replies

flll Oct 25, 2024
Collaborator Author

This error seems to be due to Caddy failing to connect to nextcloud-aio-apache.
This is likely happening because Caddy is being executed before Apache starts up.
Clicking the "start container" button in nextcloud-aio should start both Nextcloud and Apache.
You can safely ignore this initially.

Regarding the ephemeral label for the Nextcloud host in Tailscale:

Yes, using an OAuth key makes it ephemeral.
Ephemeral nodes will reset when restarted.
While you can configure it as non-ephemeral, this will create new nodes (nextcloud-1, nextcloud-2, nextcloud-3...) every time you restart.
Please refer to the official "Tailscale on Docker" documentation for more details.

Regarding ACL editing in Tailscale:

ACLs work dynamically and apply immediately. If connectivity is lost right after making changes, there's likely an issue with the ACL configuration.
"autogroup:admin" is automatically generated by the tailscale-admin-console.
If changing from autogroup to group causes loss of connectivity, it's likely because either:

group:admin is undefined
ACL is missing

Example ACL configuration:

{
	"groups": {
		"group:admin": ["example@mail.jp", "flll@github"],
		"group:azuki": ["tuyu@azuki.com"],
	},
	"acls": [
		{
			"action": "accept",
			"src":    ["group:admin"],
			"dst":    ["tag:nextcloud:*"],
		},
        ]
}

Note that "autogroup:admin" and "group:admin" are completely different groups.
If you want to make Nextcloud accessible to all members or external users, set src to "*" and dst to "*:*".

Please refer to Tailscale's autogroup documentation for more details.

flll Oct 25, 2024
Collaborator Author

Thank you

Thank you as well. I was able to respond quickly because I've made the same mistake before, haha.
Thank you for your question.(o・ω・o)

A4alli Oct 31, 2024

Non-ephemeral will make new nodes? Or ephemeral??

VatsalJagani Aug 2, 2025

HTTPS Certificates

@flll - Thanks for this post. Really useful.

I've been struggling for last few days to get it working.
I have finally realized from your comment here that we need to enable HTTPS Certificates.
Can you please update your Post with following for future users:

Prerequisite Steps on TailScale:

1. Create TailScale Account if you don't own already
    * https://login.tailscale.com

2. Copy the Tailnet name
    * TailScale > DNS

3. Enable HTTPS Certificates
    * TailScale > DNS
    * Enable HTTPS Certificates (disabled by default now on TailScale)

4 Create nextcloud tag in ACL
    * TailScale > AccessControl
    * Uncomment and create nextcloud tag under tagOwners section.
    * example below but could be different depending on how your exicting ACL is configured:

"tagOwners": {
    "tag:nextcloud": ["autogroup:admin"],
},

5. Generate OAuth Client:
    * TailScale > Settings > OAuth Client
    * Generate OAuth Client
    * Select Scope:
        * All writes under Devices
        * Make sure to select the tag as nextcloud.
        * Test with All scope in-case things don't work.
    * Copy the generated credentials as we use it later for environment variable TS_AUTH_KEY.

flll Aug 5, 2025
Collaborator Author

@VatsalJagani

Thank you for providing this valuable information!
I have added this detailed step-by-step guide to the wiki!
I sincerely appreciate your contribution to the community!

🙏

rzimmerdev · 2024-10-24T22:20:11Z

rzimmerdev
Oct 24, 2024

Did anyone get this error?

docker compose up
[+] Running 3/0
✔ Container nextcloud-aio-mastercontainer Created 0.0s
✔ Container maverick-caddy-1 Recreated 0.1s
✔ Container maverick-tailscale-1 Recreated 0.1s
Attaching to caddy-1, tailscale-1, nextcloud-aio-mastercontainer

tailscale-1 | boot: 2024/10/24 22:18:21 Running 'tailscale up'
tailscale-1 | Status: 400, Message: "requested tags [tag:nextcloud] are invalid or not permitted"
tailscale-1 | boot: 2024/10/24 22:18:22 failed to auth tailscale: failed to auth tailscale: tailscale up failed: exit status 1
...
tailscale-1 | boot: 2024/10/24 22:18:23 [warning] failed to symlink socket: file exists
tailscale-1 | To interact with the Tailscale CLI please use tailscale --socket="/tmp/tailscaled.sock"

12 replies

Kendellb Oct 27, 2024

Hmm... It's probably a discrepancy in the ACL settings, or Maybe because it's set to "tailv2133.ts.net" and the default "tainet-name", it might be better to generate a new one??? Just a guess though.
CLICK!

Thank you for your help and for this amazing guide @flll . I was setting the host name to the same name as my server and I did not realized that it was making new machine server-1 in tailscale. Thank you again for your help!!!

MateuszFido Oct 27, 2024

This was also the root of my issue. Remember that the hostname to provide both in compose.yml and the Nextcloud admin console is the new, ephemeral hostname created by Tailnet, not the current hostname of your physical machine!

BaoAn21 Feb 6, 2025

@MateuszFido what do you mean by new, ephemeral hostname created by Tailnet? Where can I find those?

BaoAn21 Feb 6, 2025

I read everything in this guild but still can not access Nextcloud using my endpoint
I checked log in nextcloud container
cURL error 6: Could not resolve host: nextcloud.jamnapari-solfege.ts.net (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://nextcloud.jamnapari-solfege.ts.net/hosting/discove

frazar Feb 6, 2025

The value of NC_DOMAIN must be a string that ends with a . followed by the "Tailnet name" that Tailscale has assigned you, which you can find at https://login.tailscale.com/admin/dns.

Supposing that your Tailnet name is tail23ab5.ts.net, then NC_DOMAIN must end with .tail23ab5.ts.net. In this case, valid value for NC_DOMAIN could be nextcloud.tail23ab5.ts.net.

SteveImmanuel · 2024-10-25T03:32:53Z

SteveImmanuel
Oct 25, 2024

Nice guide! Thanks so much.
One issue that I found during my deployment is that the compose file syntax. Particulary the environment in the caddy and tailscale service. They need to be in key:pair format or map format. So either use:

environment:
      NC_DOMAIN: nextcloud.your-tailnet.ts.net

or

environment:
      - NC_DOMAIN=nextcloud.your-tailnet.ts.net

Note: same goes for the tailscale service environment.

11 replies

SteveImmanuel Oct 28, 2024

Yes the nextcloud-aio-mastercontainer does indeed run on port 8080. However, it only responsibles for first time setup when you provision the nextcloud instance. After that, the nextcloud-aio-nextcloud needs to be accessible from port 80 and 443 for service discovery and to handle the certificates as nextcloud need a valid SSL certificate to function. But please correct me if I'm wrong.
This is the log from my nextcloud-aio-nextcloud container:

[28-Oct-2024 00:52:48] NOTICE: fpm is running, pid 400
[28-Oct-2024 00:52:48] NOTICE: ready to handle connections
Activating Collabora config...
✓ Reset callback url autodetect
Checking configuration
🛈 Configured WOPI URL: https://nextcloud.tail42526.ts.net
🛈 Configured public WOPI URL: https://nextcloud.tail42526.ts.net
🛈 Configured callback URL: 

✓ Fetched /hosting/discovery endpoint
✓ Valid mimetype response
✓ Valid capabilities entry
✓ Fetched /hosting/capabilities endpoint
✓ Detected WOPI server: Collabora Online Development Edition 24.04.8.1

Collabora URL (used for Nextcloud to contact the Collabora server):
  https://nextcloud.tail42526.ts.net
Collabora public URL (used in the browser to open Collabora):
  https://nextcloud.tail42526.ts.net
Callback URL (used by Collabora to connect back to Nextcloud):
  autodetected (will use the same URL as your user for browsing Nextcloud)

A4alli Oct 28, 2024

well I am using only via tailscale network. So I will not need any ports to forward. next I toggol on HTTPS in tailscale Admin counsel which give me lets encrypt https. right now Im stuck on provisioning screen. I cannot visit my nextclous AIO via tailscale domain. I am pasting the required data asked by @flll, when he will analyze about what is wrong.

SteveImmanuel Oct 31, 2024

Even with tailscale, you need those port to make it accessible inside your tailscale network

sym-afk Dec 6, 2024

Even with tailscale, you need those port to make it accessible inside your tailscale network

How to open up these ports in tailscale, whether it has to be done on the newly created nextcloud node or the host/server node in tailscale n/w.

chamabreu Dec 6, 2024

I am running the whole system without any port forwarding or opening.

Only in the docker compose there are the port mappings, to make the container accessible.

The AIO master Container is only accessible over the ipadress from the Host running the Master container.
See ports on AIO master Container in docker compose:

ports:
      - 0.0.0.0:8080:8080

But the rest of nextcloud does not need any port changing and is only accessible over your Domain you give into the environment variables.

blazing-ph0enix · 2024-10-25T07:20:18Z

blazing-ph0enix
Oct 25, 2024

Okay, one question:

Should I "sudo dnf install tailscale" on my host, then follow all this docker compose things? because how would I declare ACL dst 'nextcloud.your-tailnet.ts.net'? Or do I add my device manually in tailscale admin?

I might be very less informed about ACL and tags, but I am trying to learn and doing all this to use nextcloud-aio is tiring, but I am trying my best.

Thanks!

PS: I was using this

{
  "tagOwners": {
    "tag:nextcloud": ["autogroup:admin"]
  },
  "acls": [
    {
      "action": "accept",
      "src": ["tag:nextcloud"],
      "dst": ["nextcloud.your-tailnet.ts.net:*"]
    }
  ]
}

8 replies

blazing-ph0enix Oct 25, 2024

Hey @flll

What I did:

Sudo dnf install tailscale
Setup my host with tailscale, named "fedora"
Made ACL like this:

{
	"tagOwners": {
		"tag:fedora": ["autogroup:admin"]
	},
	"acls": [
		{
			"action": "accept",
			"src":    ["tag:fedora"],
			"dst":    ["Tailscale_ip_of_fedora:*"]
		}
	]
}

Followed your guid
There was a new machine in my tailscale, named Fedora-1
Can't access nextcloud
Apache container unhealthy
Problem loading site for my NC_DOMAIN

I am sure I misunderstood a lot of things, looking for pointers, thanks!

blazing-ph0enix Oct 25, 2024

New Setup:

Only one machine on Tailscale (that too the one from docker compose file tailscale)
ACL:

{
	"tagOwners": {
		"tag:nextcloud": ["autogroup:admin"]
	},
	"acls": [
		{
			"action": "accept",
			"src":    ["tag:nextcloud"],
			"dst":    ["tag:nextcloud:*"]
		}
	]
}

Still Apache container unhealthy
All other container working well, but the apache logs and master container logs are same as earlier

flll Oct 25, 2024
Collaborator Author

My docker logs apache says:
This is normal.

Please check the following conditions:

The guide's compose.yml starts before nextcloud-aio-apache
The nextcloud-aio network in compose.yml is properly applied

If it's not working even though the order is correct, execute the following commands:

docker compose down;\
docker stop $(docker ps -aq);\
docker rm $(docker ps -aq);\
docker network rm nextcloud-aio

These commands will delete existing docker containers and networks.
Please execute with caution as this can be dangerous.
After execution, run docker compose up -d and deploy nextcloud-aio again.

New Setup

Please configure ACL according to your environment.
If you want to try a configuration unrelated to the guide, please refer to the official documentation.

blazing-ph0enix Oct 26, 2024

@flll Brother, I finally did it. Nextcloud-AIO worked!!!

What I did?

Changed my default tailname
Made some changes in ACL
Made fresh docker compose containers
Crossed my fingers before entering the tail domain 😂

Thanks a lot!
I have learnt a lot of things and will make some experiments like what changes will make it stop working. Might make a guide of my own for basic noobs like myself 🙃

flll Oct 27, 2024
Collaborator Author

@blazing-ph0enix
Congratulations! That's a fantastic achievement. I'm so happy to see that your persistence and ingenuity have paid off.

Crossing your fingers is indeed an essential step in solving technical problems! 😄

It's wonderful that you're planning to share what you've learned with others. A guide for beginners will be incredibly helpful for many people.

I'm looking forward to your future experiments. If you make any new discoveries, please do share them. Your experiences will be a valuable source of information for the community.

Keep up the great work. And remember, if you ever run into any issues, don't hesitate to ask for help.

MateuszFido · 2024-10-26T21:07:21Z

MateuszFido
Oct 26, 2024

Thanks for the guide, it's great but I cannot make it work for myself.
I'm stuck at the point of connecting to my $NC_DOMAIN.

My compose.yaml:

services:
  nextcloud-aio-mastercontainer:
    image: nextcloud/all-in-one:latest
    init: true
    restart: always
    container_name: nextcloud-aio-mastercontainer # This line cannot be changed.
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - nextcloud-aio
    ports:
      - 0.0.0.0:8080:8080
    environment:
      APACHE_PORT: 11000
      APACHE_IP_BINDING: 127.0.0.1
      SKIP_DOMAIN_VALIDATION: true
  caddy:
    image: caddy:alpine
    restart: unless-stopped
    environment:
      - NC_DOMAIN=mydomain.my-tailnet.ts.net # Change this to your domain ending with .ts.net in the format {$TS_HOSTNAME}.{tailnetdomain}
    volumes:
      - type: bind
        source: ./Caddyfile
        target: /etc/caddy/Caddyfile
      - type: volume
        source: caddy_certs
        target: /certs
      - type: volume
        source: caddy_data
        target: /data
      - type: volume
        source: caddy_config
        target: /config
      - type: volume
        source: tailscale_sock
        target: /var/run/tailscale/ # Mount the volume for /var/run/tailscale/tailscale.sock
        read_only: true
    network_mode: service:tailscale
  tailscale:
    image: tailscale/tailscale:latest
    environment:
      - TS_HOSTNAME=mydomain # Enter the hostname for your tailnet
      - TS_AUTH_KEY=tskey-client-kPFRs4aRK721CNTRL # OAuth client key recommended
      - TS_EXTRA_ARGS=--advertise-tags=tag:nextcloud # Tags are required when using OAuth client
    init: true
    restart: unless-stopped
    volumes:
      - /dev/net/tun:/dev/net/tun
      - type: volume
        source: tailscale
        target: /var/lib/tailscale
      - type: volume
        source: tailscale_sock
        target: /tmp # Mounting the entire /tmp folder to access tailscale.sock
    cap_add:
      - NET_ADMIN
      - NET_RAW
    networks:
      - nextcloud-aio
volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer # This line cannot be changed.
  caddy_certs:
    name: caddy_certs
  caddy_data:
    name: caddy_data
  caddy_config:
    name: caddy_config
  tailscale:
    name: tailscale
  tailscale_sock:
    name: tailscale_sock
networks:
  nextcloud-aio:
    name: nextcloud-aio
    driver: bridge
    enable_ipv6: false
    driver_opts:
      com.docker.network.driver.mtu: "9001" # Jumbo Frame
      com.docker.network.bridge.host_binding_ipv4: "127.0.0.1" # Harden aio

My ACL:

"tagOwners": {
		"tag:nextcloud": ["autogroup:admin"],
	},

	// Define access control lists for users, groups, autogroups, tags,
	// Tailscale IP addresses, and subnet ranges.
	"acls": [
		// Allow all connections.
		// Comment this section out if you want to define specific restrictions.
		{"action": "accept", "src": ["*"], "dst": ["*:*"]},

		// Allow users in "group:example" to access "tag:example", but only from
		// devices that are running macOS and have enabled Tailscale client auto-updating.
		// {"action": "accept", "src": ["group:example"], "dst": ["tag:example:*"], "srcPosture":["posture:autoUpdateMac"]},
	],

	// Define postures that will be applied to all rules without any specific
	// srcPosture definition.
	// "defaultSrcPosture": [
	//      "posture:anyMac",
	// ],

	// Define device posture rules requiring devices to meet
	// certain criteria to access parts of your system.
	// "postures": {
	//      // Require devices running macOS, a stable Tailscale
	//      // version and auto update enabled for Tailscale.
	// 	"posture:autoUpdateMac": [
	// 	    "node:os == 'macos'",
	// 	    "node:tsReleaseTrack == 'stable'",
	// 	    "node:tsAutoUpdate",
	// 	],
	//      // Require devices running macOS and a stable
	//      // Tailscale version.
	// 	"posture:anyMac": [
	// 	    "node:os == 'macos'",
	// 	    "node:tsReleaseTrack == 'stable'",
	// 	],
	// },

	// Define users and devices that can use Tailscale SSH.
	"ssh": [
		// Allow all users to SSH into their own devices in check mode.
		// Comment this section out if you want to define specific restrictions.
		{
			"action": "check",
			"src":    ["autogroup:member"],
			"dst":    ["autogroup:self"],
			"users":  ["autogroup:nonroot", "root"],
		},
	],

	// Test access rules every time they're saved.
	// "tests": [
	//  	{
	//  		"src": "alice@example.com",
	//  		"accept": ["tag:example"],
	//  		"deny": ["100.101.102.103:443"],
	//  	},
	// ],
}

Caddy seems to recognize the domain name correctly, i.e. it resolves $NC_DOMAIN correctly.

Tailscale logs:

2024/10/26 20:54:17 monitor: gateway and self IP changed: gw=172.18.0.1 self=172.18.0.2
2024/10/26 20:54:17 wgengine: Reconfig: configuring userspace WireGuard config (with 0/3 peers)
2024/10/26 20:54:17 wgengine: Reconfig: configuring router
2024/10/26 20:54:17 wgengine: Reconfig: configuring DNS
2024/10/26 20:54:17 dns: Set: {DefaultResolvers:[] Routes:{} SearchDomains:[] Hosts:4}
2024/10/26 20:54:17 dns: Resolvercfg: {Routes:{} Hosts:4 LocalDomains:[]}
2024/10/26 20:54:17 dns: OScfg: {}
2024/10/26 20:54:17 peerapi: serving on http://100.88.14.63:42665
2024/10/26 20:54:17 peerapi: serving on http://[fd7a:115c:a1e0::f001:e3f]:42665
2024/10/26 20:54:17 magicsock: home is now derp-4 (fra)
2024/10/26 20:54:17 magicsock: adding connection to derp-4 for home-keep-alive
2024/10/26 20:54:17 magicsock: 1 active derp conns: derp-4=cr0s,wr0s
2024/10/26 20:54:17 magicsock: endpoints changed: 31.10.141.0:13401 (stun), 172.18.0.2:57177 (local)
2024/10/26 20:54:17 derphttp.Client.Connect: connecting to derp-4 (fra)
2024/10/26 20:54:17 Switching ipn state Starting -> Running (WantRunning=true, nm=true)
2024/10/26 20:54:17 control: NetInfo: NetInfo{varies=false hairpin= ipv6=false ipv6os=true udp=true icmpv4=false derp=#4 portmap= link="" firewallmode=""}
boot: 2024/10/26 20:54:17 Startup complete, waiting for shutdown signal
2024/10/26 20:54:17 magicsock: derp-4 connected; connGen=1

Tried opening 443 (TCP and UDP), 80, 8080 (out of desperation) in firewall and even disabling the firewall completely, none of it helped

Seems that no matter what I do, in the nextcloud container I see:

Failed to fetch discovery endpoint from https://mydomain.my-tailnet.ts.net 
2024-10-26T20:14:35.885045556Z cURL error 7: Failed to connect to mydomain.my-tailnet.ts.net port 443 after 1 ms: Could not connect to server (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://mydomain.my-tailnet.ts.net/hosting/discovery

Pinging the domain name within tailscale works without problems

3 replies

flll Oct 27, 2024
Collaborator Author

@MateuszFido
Please check the following conditions:

Whether nextcloud-aio network is defined correctly as specified in compose.yml
Whether the nextcloud-aio network defined in compose.yml is created before nextcloud-aio-apache and nextcloud-aio-nextcloud start up.

If you need to redo it, execute the following commands:

docker compose down;\
docker stop $(docker ps -aq);\
docker rm $(docker ps -aq);\
docker network rm nextcloud-aio

These commands will delete existing docker containers and networks.
Please execute with caution as this can be dangerous.
After execution, run docker compose up -d and deploy nextcloud-aio again.

MateuszFido Oct 27, 2024

Yep, did those many times, my friend

Finally got it today: the same issue as @Kendellb, the hostname to configure is the new, ephemeral hostname generated by Tailscale, not the current hostname of the physical machine hosting Nextcloud in tailnet. Initially, I thought your machine was just named "nextcloud" in your tailnet before running all the containers.

It's worth remembering that setting the hostname provided to Nextcloud in the admin console cannot be undone - so just removing the containers, and even doing docker system prune -a won't work. You need to reinstall from scratch, removing all the volumes.

This was totally unclear to me from the guide, maybe it could be mentioned?

Anyway, thanks a lot, it's a great setup nonetheless 👍

vinayak19th Dec 13, 2024

I'm still having this issue. I'm using the ephemeral hostname but still having issues

A4alli · 2024-10-27T13:54:34Z

A4alli
Oct 27, 2024

31 replies

blazing-ph0enix Oct 29, 2024

@blazing-ph0enix what is the Health status of your Apache container?

Right now, Unhealthy, because I haven't deleted old machines from admin console

blazing-ph0enix Oct 29, 2024

@blazing-ph0enix what is the Health status of your Apache container?

and also Security and setup Warnings. if you please share in pastebin

Can't use my pc right now. Will try tomorrow.
Family gathering at home 😅

A4alli Oct 30, 2024

Any update

blazing-ph0enix Oct 30, 2024

Any update

Yes, I will make a new comment for my specific case, I will add all the logs in it

A4alli Oct 31, 2024

@flll if you please jump in to here to see the issues, KINDLY

A4alli · 2024-10-28T14:29:03Z

A4alli
Oct 28, 2024

Finally access the domain.

9 replies

flll Nov 4, 2024
Collaborator Author

@A4alli

I don't want to access my nextcloud-AIO from outside other than tail scale

The funnel feature will expose your service to the public internet.
If you don't want public access, please disable the funnel feature.
Please refer to the Tailscale guide for more details.

Moreover, what about the error in nextcloud0master-container...

This error message indicates that debug information is currently hidden. While it's recommended to keep error details concealed in production environments for security purposes, you can temporarily enable detailed error display when troubleshooting is necessary. Once you've resolved the issue, it's advisable to return to the default secure configuration where error details are hidden from end users.

And the security warnings...

Please remove all containers and networks, then redeploy.
If Nextcloud is successfully deployed, you can safely ignore these warnings.

docker-socket-proxy test is always failing at Init step.

If you're unsure how to use it or don't plan to use it, I recommend not using it.

does WebDav working in nextcloud-aio by default...

If Nextcloud is working, WebDAV should also be available by default.

@rinkfaraway

Security settings are already included in nextcloud-aio-apache,
so you can keep the Caddyfile at its default settings as shown in the guide,
just set up reverse proxy to nextcloud-aio-apache.

Are you trying to use both cloudflared and tailscaled tunnels?
If so, add network_mode: service:caddy to both cf and ts to attach them to caddy's NIC (127.0.0.1).

A4alli Nov 4, 2024

Amazing. My nextcloud is functioning well by default. I mean from starting. I think I have no need to remove and redeploy. But of course security and setup warnings will stay the same as in the pastebin. (Or should it remove and redeploy and will get rid of the warnings)

Point 6. You have pasted a diagram. A bit confusion, if you may please help me with it. I want to use cloudflare as DNS not a reverse proxy or tunnel. I have caddy-dns-cloudflare-module.
⚠️ how to setup DNS record in cloudflare for such setup. Will it be CNAME or A or AAAA record? To which IP or address I have to do it so to get cloudflare DNS resolver along Tailscale. From jellyfin video posted by tailscale, @alex has redirected caddy container ts-domain as CNAME in cloudflare DNS. What will be in out nextcloud case.

A4alli Nov 5, 2024

@flll @szaimen https://help.nextcloud.com/t/security-and-setup-warnings-nextcloud-aio-30-0-1/208752/2
please must look into this matter. I think it need due attention.

A4alli Nov 5, 2024

moreover @flll the notify-push failed in here according to your guide

2024-11-05T15:59:01.241513477Z Connection to nextcloud-aio-nextcloud (172.18.0.x) 9001 port [tcp/*] succeeded!
2024-11-05T15:59:01.253060607Z notify-push was started
2024-11-05T15:59:02.625728570Z [2024-11-05 15:59:02.624874 +00:00] ERROR [notify_push] src/main.rs:84: Self test failed: Error while communicating with nextcloud instance: error sending request for url (https://nextcloud.tailscale.ts.net/index.php/apps/notify_push/test/version)

A4alli Nov 11, 2024

@A4alli If you want to allow connections from outside the tailnet (public access using Funnel), you need to add serve.json. In the following example, serve.json is written directly within the compose.yml file, so I'll use this example. If you use this example as is, you don't need to create separate Caddyfile and serve.json files.

CLICK!

THIS IS CREATING A TONS OF CLONE MACHINE IN MY TAILSCALE

blazing-ph0enix · 2024-10-31T05:20:41Z

blazing-ph0enix
Oct 31, 2024

Hey, So I have tried a lot of things, now my experience is like this:

I did everything as the guide. What I faced is that my nextcloud instance worked perfectly for first time. But after a reboot, I couldn't access my instance because apache container was unhealthy? Maybe because my tailscale admin console showed 'server-1' ephemeral machine instead of using 'server' which was host name in docker compose tailscale environments. So I had to delete my 'server' machine everytime before rebooting, so that after reboot 'server' machine is created instead of 'server-1' etc.
I researched a lot, so I tried adding 'TS_STATE_DIR=/var/lib/tailscale' in environments of Tailscale service in docker compose.
Now, after every reboot my tailscale admin console mentions 'server' machine, so which means it remembers the state and tailscale ip is also same but yeah, it's still ephemeral so not sure if that's any issue.
When I enter my Tail domain, it says:

Unable to connect

An error occurred during a connection to server.rohu-nessie.ts.net.

These are my logs, thank you for reading and let me know if you have any tips.

Apache logs:

2024-10-30T08:08:25.073530751Z Waiting for Nextcloud to start...
2024-10-30T08:08:30.077841467Z Connection to nextcloud-aio-nextcloud (172.18.0.2) 9000 port [tcp/*] succeeded!
2024-10-30T08:08:32.153962851Z {"level":"info","ts":1730275712.1528685,"msg":"using config from file","file":"/tmp/Caddyfile"}
2024-10-30T08:08:32.156079603Z {"level":"info","ts":1730275712.155,"msg":"adapted config to JSON","adapter":"caddyfile"}
2024-10-30T08:08:32.234077578Z [Wed Oct 30 08:08:32.231068 2024] [mpm_event:notice] [pid 58:tid 58] AH00489: Apache/2.4.62 (Unix) configured -- resuming normal operations
2024-10-30T08:08:32.234117911Z [Wed Oct 30 08:08:32.231133 2024] [core:notice] [pid 58:tid 58] AH00094: Command line: '/usr/local/apache2/bin/httpd -D FOREGROUND'

Nextcloud logs:

2024-10-30T08:08:26.099483087Z [30-Oct-2024 08:08:26] NOTICE: fpm is running, pid 399
2024-10-30T08:08:26.099521081Z [30-Oct-2024 08:08:26] NOTICE: ready to handle connections
2024-10-30T08:08:40.857901402Z Activating Collabora config...
2024-10-30T08:08:41.766934909Z ✓ Reset callback url autodetect
2024-10-30T08:08:41.766972860Z Checking configuration
2024-10-30T08:08:41.766982102Z 🛈 Configured WOPI URL: https://server.rohu-nessie.ts.net
2024-10-30T08:08:41.766989585Z 🛈 Configured public WOPI URL: https://server.rohu-nessie.ts.net
2024-10-30T08:08:41.766996553Z 🛈 Configured callback URL:
2024-10-30T08:08:41.767002835Z
2024-10-30T08:08:41.865833719Z Failed to fetch discovery endpoint from https://server.rohu-nessie.ts.net
2024-10-30T08:08:41.866405353Z cURL error 6: Could not resolve host: server.rohu-nessie.ts.net (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://server.rohu-nessie.ts.net/hosting/discovery

Redis:

2024-10-30T08:06:44.427595043Z 8:M 30 Oct 2024 08:06:44.353 # Redis is now ready to exit, bye bye...
2024-10-30T08:07:44.753650530Z Redis has started

Database:

2024-10-30 08:07:45.840 UTC [14] LOG:  starting PostgreSQL 16.4 on x86_64-pc-linux-musl, compiled by gcc (Alpine 13.2.1_git20240309) 13.2.1 20240309, 64-bit
2024-10-30T08:07:45.841881733Z 2024-10-30 08:07:45.841 UTC [14] LOG:  listening on IPv4 address "0.0.0.0", port 5432
2024-10-30T08:07:45.841902318Z 2024-10-30 08:07:45.841 UTC [14] LOG:  listening on IPv6 address "::", port 5432
2024-10-30T08:07:45.846316627Z 2024-10-30 08:07:45.846 UTC [14] LOG:  listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
2024-10-30T08:07:45.873990980Z 2024-10-30 08:07:45.873 UTC [24] LOG:  database system was shut down at 2024-10-30 08:06:47 UTC
2024-10-30T08:07:45.893069077Z 2024-10-30 08:07:45.892 UTC [14] LOG:  database system is ready to accept connections

Notify Push:

2024-10-30T08:08:24.834948032Z Waiting for Nextcloud to start...
2024-10-30T08:08:29.838501694Z Connection to nextcloud-aio-nextcloud (172.18.0.2) 9001 port [tcp/*] succeeded!
2024-10-30T08:08:29.840436231Z notify-push was started
2024-10-30T08:08:34.936983393Z [2024-10-30 08:08:34.936482 +00:00] ERROR [notify_push] src/main.rs:84: Self test failed: Error while communicating with nextcloud instance: error sending request for url (https://server.rohu-nessie.ts.net/index.php/apps/notify_push/test/version)

Nextcloud Mastercontainer Logs:

[30-Oct-2024 08:08:56] NOTICE: fpm is running, pid 138
[30-Oct-2024 08:08:56] NOTICE: ready to handle connections
NOTICE: PHP message: 404 Not Found
Type: Slim\Exception\HttpNotFoundException
Code: 404
Message: Not found.
File: /var/www/docker-aio/php/vendor/slim/slim/Slim/Middleware/RoutingMiddleware.php
Line: 76
Trace: #0 /var/www/docker-aio/php/vendor/slim/slim/Slim/Routing/RouteRunner.php(62): Slim\Middleware\RoutingMiddleware->performRouting(Object(GuzzleHttp\Psr7\ServerRequest))
#1 /var/www/docker-aio/php/vendor/slim/csrf/src/Guard.php(482): Slim\Routing\RouteRunner->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#2 /var/www/docker-aio/php/vendor/slim/slim/Slim/MiddlewareDispatcher.php(177): Slim\Csrf\Guard->process(Object(GuzzleHttp\Psr7\ServerRequest), Object(Slim\Routing\RouteRunner))
#3 /var/www/docker-aio/php/vendor/slim/twig-view/src/TwigMiddleware.php(117): Psr\Http\Server\RequestHandlerInterface@anonymous->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#4 /var/www/docker-aio/php/vendor/slim/slim/Slim/MiddlewareDispatcher.php(129): Slim\Views\TwigMiddleware->process(Object(GuzzleHttp\Psr7\ServerRequest), Object(Psr\Http\Server\RequestHandlerInterface@anonymous))
#5 /var/www/docker-aio/php/src/Middleware/AuthMiddleware.php(36): Psr\Http\Server\RequestHandlerInterface@anonymous->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#6 /var/www/docker-aio/php/vendor/slim/slim/Slim/MiddlewareDispatcher.php(280): AIO\Middleware\AuthMiddleware->__invoke(Object(GuzzleHttp\Psr7\ServerRequest), Object(Psr\Http\Server\RequestHandlerInterface@anonymous))
#7 /var/www/docker-aio/php/vendor/slim/slim/Slim/Middleware/ErrorMiddleware.php(77): Psr\Http\Server\RequestHandlerInterface@anonymous->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#8 /var/www/docker-aio/php/vendor/slim/slim/Slim/MiddlewareDispatcher.php(129): Slim\Middleware\ErrorMiddleware->process(Object(GuzzleHttp\Psr7\ServerRequest), Object(Psr\Http\Server\RequestHandlerInterface@anonymous))
#9 /var/www/docker-aio/php/vendor/slim/slim/Slim/MiddlewareDispatcher.php(73): Psr\Http\Server\RequestHandlerInterface@anonymous->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#10 /var/www/docker-aio/php/vendor/slim/slim/Slim/App.php(209): Slim\MiddlewareDispatcher->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#11 /var/www/docker-aio/php/vendor/slim/slim/Slim/App.php(193): Slim\App->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#12 /var/www/docker-aio/php/public/index.php(186): Slim\App->run()
#13 {main}
Tips: To display error details in HTTP response set "displayErrorDetails" to true in the ErrorHandler constructor.

My ACL of Tailscale:

{
	"tagOwners": {
		"tag:nextcloud": ["autogroup:admin"],
		"tag:malware":   ["autogroup:admin"]
	},
	"acls": [
		{
			"action": "accept",
			"src":    ["tag:malware"],
			"dst":    ["tag:nextcloud:*"]
		},
		{
			"action": "accept",
			"src":    ["tag:nextcloud"],
			"dst":    ["tag:malware:*"]
		}
	]
}

15 replies

A4alli Nov 1, 2024

For me this guide work fine. Only problem is apache container showing unhealthy. But working

flll Nov 1, 2024
Collaborator Author

I apologize for the delayed response.
Regarding this error shown in the Nextcloud logs:

cURL error 6: Could not resolve host: server.rohu-nessie.ts.net

This error suggests that the nextcloud-aio network is constantly being created, and Tailscale might not be properly connecting to the network
tailscale-aio

Here are the steps to resolve this:

Remove all nextcloud-aio containers

Warning!: This command will stop and remove containers

docker compose down

# Stop containers containing "nextcloud" in their name
docker stop $(docker ps -a | grep nextcloud | awk '{print $1}')

# Remove containers containing "nextcloud" in their name
docker rm $(docker ps -a | grep nextcloud | awk '{print $1}')

Delete the nextcloud-aio network

docker network rm nextcloud-aio

Run docker compose up (-d) again

I didn't find any issues with the ACL settings.

@blazing-ph0enix

flll Nov 1, 2024
Collaborator Author

deleting 'server' machine before rebooting

Please disable the ephemeral setting.
Your OAuth key likely includes "?ephemeral=false"
Simply remove this query parameter.

'TS_STATE_DIR=/var/lib/tailscale'

It's recommended to keep the default state configuration.

"after every reboot my tailscale admin console mentions 'server' machine"

This is likely a temporary issue.
Try refreshing the admin console.

"When I enter my Tail domain..."

Often this is due to insufficient permissions on the client-side Tailscale.
Try adding the 'nextcloud' tag to your client.
By default, communication between devices with the nextcloud tag is allowed.

A4alli Nov 2, 2024

deleting 'server' machine before rebooting

Please disable the ephemeral setting. Your OAuth key likely includes "?ephemeral=false" Simply remove this query parameter.

'TS_STATE_DIR=/var/lib/tailscale'

It's recommended to keep the default state configuration.

"after every reboot my tailscale admin console mentions 'server' machine"

This is likely a temporary issue. Try refreshing the admin console.

"When I enter my Tail domain..."

Often this is due to insufficient permissions on the client-side Tailscale. Try adding the 'nextcloud' tag to your client. By default, communication between devices with the nextcloud tag is allowed.

Thankyou 😍

nashwannose Aug 5, 2025

I apologize for the delayed response. Regarding this error shown in the Nextcloud logs:
cURL error 6: Could not resolve host: server.rohu-nessie.ts.net
This error suggests that the nextcloud-aio network is constantly being created, and Tailscale might not be properly connecting to the network tailscale-aio

Here are the steps to resolve this:
1. Remove all nextcloud-aio containers
Warning!: This command will stop and remove containers
docker compose down

# Stop containers containing "nextcloud" in their name
docker stop $(docker ps -a | grep nextcloud | awk '{print $1}')

# Remove containers containing "nextcloud" in their name
docker rm $(docker ps -a | grep nextcloud | awk '{print $1}')
2. Delete the nextcloud-aio network
docker network rm nextcloud-aio
3. Run `docker compose up (-d)` again
I didn't find any issues with the ACL settings.

@blazing-ph0enix

Hello @flll , thank you for the great work and support

I did reset everything as instructed and read the full discussion here , but no luck getting this fixed !

I always end up with the same error cURL error 6: Could not resolve host: nextcloud.phoenix-solfege.ts.net (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://nextcloud.phoenix-solfege.ts.net/hosting/discovery

PS : all containers shows healthy !, the machine is showing connect on Tailscale admin console!

did try changing DNS, ACL , OAuth keys, no luck

can you please tell me what I'm doing wrong ?

js-surya · 2024-11-05T11:18:02Z

js-surya
Nov 5, 2024

Has anyone tried to deploy using the portainer stack?

Caddy log:

INF ts=1730804048.0603747 msg=using config from file file=/etc/caddy/Caddyfile

Error: adapting config using caddyfile: subject does not qualify for certificate: '{env.NC_DOMAIN}'

I have double-checked my NC_DOMAIN variable.

compose.yml:

services:
  nextcloud-aio-mastercontainer:
    image: nextcloud/all-in-one:latest
    init: true
    restart: always
    container_name: nextcloud-aio-mastercontainer # This line cannot be changed.
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - nextcloud-aio
    ports:
      - 0.0.0.0:8080:8080
    environment:
      APACHE_PORT: 11000
      APACHE_IP_BINDING: 127.0.0.1
      SKIP_DOMAIN_VALIDATION: true
  caddy:
    image: caddy:alpine
    restart: unless-stopped
    container_name: caddy
    environment:
      NC_DOMAIN: nextcloud.[redacted].ts.net # Change this to your domain ending with .ts.net in the format {$TS_HOSTNAME}.{tailnetdomain}
    volumes:
      - type: bind
        source: /home/surya/Caddyfile
        target: /etc/caddy/Caddyfile
      - type: volume
        source: caddy_certs
        target: /certs
      - type: volume
        source: caddy_data
        target: /data
      - type: volume
        source: caddy_config
        target: /config
      - type: volume
        source: tailscale_sock
        target: /var/run/tailscale/ # Mount the volume for /var/run/tailscale/tailscale.sock
        read_only: true
    network_mode: service:tailscale
  tailscale:
    image: tailscale/tailscale:latest
    container_name: tailscale
    environment:
      TS_HOSTNAME: nextcloud # Enter the hostname for your tailnet
      TS_AUTH_KEY: tskey-client-kYthXvJbHD21CNTRL-[redacted]  # OAuth client key recommended
      TS_EXTRA_ARGS: --advertise-tags=tag:nextcloud # Tags are required when using OAuth client
    init: true
    restart: unless-stopped
    volumes:
      - /dev/net/tun:/dev/net/tun
      - type: volume
        source: tailscale
        target: /var/lib/tailscale
      - type: volume
        source: tailscale_sock
        target: /tmp # Mounting the entire /tmp folder to access tailscale.sock
    cap_add:
      - NET_ADMIN
      - NET_RAW
    networks:
      - nextcloud-aio
volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer # This line cannot be changed.
  caddy_certs:
    name: caddy_certs
  caddy_data:
    name: caddy_data
  caddy_config:
    name: caddy_config
  tailscale:
    name: tailscale
  tailscale_sock:
    name: tailscale_sock
networks:
  nextcloud-aio:
    name: nextcloud-aio
    driver: bridge
    enable_ipv6: false
    driver_opts:
      com.docker.network.driver.mtu: "9001" # Jumbo Frame
      com.docker.network.bridge.host_binding_ipv4: "127.0.0.1" # Harden aio

Tailscale ACL:

"groups": {
		"group:admin": ["js-surya@github"],
		"group:users": ["user@example.com", "otheruser@example.com"],
	},

	"tagOwners": {
		"tag:nextcloud": ["group:admin"],
	},

	"acls": [
		// Allow general unrestricted access (you can comment this out if needed).
		{"action": "accept", "src": ["*"], "dst": ["*:*"]},

		// Allow users in "group:users" to access any devices tagged with "nextcloud".
		{"action": "accept", "src": ["group:users"], "dst": ["tag:nextcloud:*"]},

I'm not an IT expert, and I'm relatively new to this. My IP is behind CGNAT, and I want to access my Nextcloud server outside my local network using Tailscale. I'm eager to learn, so any suggestions or help would be appreciated.

3 replies

A4alli Nov 5, 2024

NC_DOMAIN=nextcloud.talscale.ts.net
TS_HOSTNAME=nextcloud
TS_AUTH_KEY=ts...
TS_EXTRA_ARGS=--

Remember there is = and than no space

js-surya Nov 5, 2024

TS_HOSTNAME=nextcloud # Hostname in Tailnet
NC_DOMAIN=nextcloud.mydomain.ts.net # Format: {$TS_HOSTNAME}.{$tailnetdomain}.ts.net
TS_AUTH_KEY=tskey-client-kYthXvJbHD21CNTRL-mykey # OAuth client key recommended
TS_EXTRA_ARGS=--advertise-tags=tag:nextcloud # For OAuth client key usage

Here is my .env config

A4alli Nov 5, 2024

check my config files above that work

A4alli · 2024-11-05T11:32:00Z

A4alli
Nov 5, 2024

Apache is always unhealthy

docker exec -it nextcloud-aio-apache bash -x /healthcheck.sh

nc -z nextcloud-aio-nextcloud 9000
Connection to nextcloud-aio-nextcloud (172.18.0.1) 9000 port [tcp/*] succeeded!
nc -z 127.0.0.1 8000
Connection to 127.0.0.1 8000 port [tcp/*] succeeded!
nc -z 127.0.0.1 11000
Connection to 127.0.0.1 11000 port [tcp/*] succeeded!
nc -z nextcloud.taiilscale.ts.net 443
nc: getaddrinfo for host "nextcloud.tailscalets.net" port 443: Name does not resolve
echo 'Could not reach nextcloud.tailscalets.net on port 443.'
Could not reach nextcloud.tailscale.ts.net on port 443.
exit 1

5 replies

chamabreu Nov 27, 2024

Same here

A4alli Nov 30, 2024

check my last comment below for solution with serve.json

chamabreu Nov 30, 2024

Checked it.
Sound interesting.

Is there a way to check if a port is open to public?
I am curious that if I add funnel And then remove it, that it really is not public anymore.

Will try and report.
Also I am wondering if this helps for nextcloud office.

A4alli Nov 30, 2024

what about your security and setup warnings?

eliasamaral Aug 22, 2025

I had the same problem. In my case, I noticed that the nextcloud-aio-nextcloud container wasn't joining the nextcloud-aio-apache network. To fix it, I had to delete the container, volumes, networks, and images and create a new "docker compos up." I think deleting the volumes was overkill.

patrick-theprogrammer · 2024-11-08T05:22:55Z

patrick-theprogrammer
Nov 8, 2024

@flll
Thanks for this guide!

Wanted to mention that I was able to get this working without needing caddy at all. I think it simplifies things a bit. Tailscale can natively proxy nextcloud.your-tailnet.ts.net to nextcloud-aio-apache via this method, and it supports https.

Note this employs tailscale serve (as opposed to tailscale funnel) so will only expose the service to your tailnet, not publicly. You could set a funnel flag to true in the json config below to expose it publicly, though some security and performance caveats would apply if you did.

Create a json file on your host with the following

{
  "TCP": {
    "443": {
      "HTTPS": true
    }
  },
  "Web": {
    "${TS_CERT_DOMAIN}:443": {
      "Handlers": {
        "/": {
          "Proxy": "http://nextcloud-aio-apache:11000"
        }
      }
    }
  }
}

on the tailscale container, create a bind mount to the directory where the json file is stored on the host, and supply a TS_SERVE_CONFIG environment parameter to tell tailscale where to look for the json file within the container

See https://tailscale.com/kb/1282/docker#ts_serve_config

42 replies

A4alli Dec 17, 2024

No need of exposing port 8080. You call [tailscal].ts.net:8443

hlieuw Mar 20, 2025

Hey all, i got the setup working with Tailscale server, thx for the info and guide.
However, the local nextcloud services will then only be accessible for tailscale clients, if i am not mistaken.
What if I wanted to make the services accesible to my other local machines without having to configure tailscale on each of them?
Anyone succeeded in that?

A4alli Mar 20, 2025

use funnel but it will expose to internet

Eldorado89 Aug 2, 2025

Hey All,

@patrick-theprogrammer @js-surya @robante15

first of all thanks for the great summary.

For me this guide is much more straightforward and easier rather than using Caddy, because I do not need that one.

Based on your description I managed to put together a running Nextcloud, but what I cannot solve to use the Nextcloud office.
During the usage it always give me a WOPI error.
What I did - under the Nextcloud / Settings etc. -> Office, I added the collabora docker's path (https://nextcloud-aio-collabora plus the port), with this the settings became green, but when I add my network name to the WOPI allow list, (or an IP or anything, or keep it blank), when I would like to use the Nextcloud Office, it still gives me back a WOPI error.

If I understand right, the communications between the nextcloud + the collabora provides to use the full collabora office package but somehow it doesn't allow though WOPI. I have tried to not use https (use the same protocol), or add the IPs and links to the collabora etc. but is doesn't work.

Did you manage to use it properly with this setup?

Many thanks for your help in advance :)

Taserik Aug 17, 2025

Hey all, i got the setup working with Tailscale server, thx for the info and guide. However, the local nextcloud services will then only be accessible for tailscale clients, if i am not mistaken. What if I wanted to make the services accesible to my other local machines without having to configure tailscale on each of them? Anyone succeeded in that?

I would also like to run tailscale with caddy for when I am traveling and when I am home in my local network I would actually like to use my local network to access nextcloud. Is that doable and can someone share knowledge or sources?

Taserik · 2025-08-17T13:12:25Z

Taserik
Aug 17, 2025

Hey, there.

I am having issues with the syncing of the nextcloud-desktop app. I figured out that it has to be the issue with the WebDAV. I get download speeds of <20 kb/s... Does someone run into the same issue? I have tried all kinds of things and can'T seem to find a solution. The web browser version of nextcloud works beautifully fine with this configuration. I am a bit of a noob, so please tell me which logs you need to help me with the problem.

Cheers

6 replies

GmBarde Aug 17, 2025

In my case, the download speed was really slow on mobile network (France) but not in WiFi.
After changing: com.docker.network.driver.mtu: "1280" to "1420" the issue was resolved.

sid314 Aug 18, 2025

In my case, the download speed was really slow on mobile network (France) but not in WiFi. After changing: com.docker.network.driver.mtu: "1280" to "1420" the issue was resolved.

can you explaim what that does

GmBarde Aug 18, 2025

I am not an expert, so take what I say with a pinch of salt ^^'
To my understanding MTU is the maximum size of packets that can be transmited over a network interface. If they exceed this size they are fragmented and based on the network path, packets could be dropped.
I found that 1420 bytes avoid that for me but you might have to change this value (or remove the line to use the default one) based on your network path.

dommcdev Aug 21, 2025

THANK YOU!

I was having this exact same issue as well (both webDAV and desktop client limited to ~20kb/s). Removing the com.docker.network.driver.mtu line completely solved it for me.

Taserik Aug 22, 2025

In my case, the download speed was really slow on mobile network (France) but not in WiFi. After changing: com.docker.network.driver.mtu: "1280" to "1420" the issue was resolved.

This completely seemed to solve my issue. Thank you so much.

eliasamaral · 2025-08-22T00:52:23Z

eliasamaral
Aug 22, 2025

Is it only possible to use tailscale with the all-in-one:beta version?

2 replies

SgtCrowner Oct 17, 2025

nope, just change the beta tag in the compose.yaml to latest.
I did the same thing and everything works fine

eliasamaral Oct 17, 2025

tanks

kurtbahartr · 2025-08-23T19:05:44Z

kurtbahartr
Aug 23, 2025

I followed this guide letter by letter, but I'm having issues pairing it with the desktop app (it's either an error related to TLSv1 before authentication or "Failed to connect to the secure server address" after authentication).

Web access works fine, there's no problem with that.

I also just tried again and it took me lots of trial and error (within the span of 2 days!) to finally authenticate, but sync is still borked.

EDIT: Add screenshot of the TLS error, add more info regarding authentication.

EDIT 2: Add screenshot of the "Failed to connect to the secure server address" error.

5 replies

eliasamaral Aug 23, 2025

Any logs in tailscale, apache or caddy container?

kurtbahartr Aug 24, 2025

Nothing at all, at least checking the logs outputted into the terminal.

eliasamaral Aug 24, 2025

There must be an error somewhere.

Does curl using the domain return a 200?

Is the host where the desktop app is located on the Tailscale network?

kurtbahartr Aug 24, 2025

curling the domain with HTTPS returns the same TLSv1 error.

My client machine is also on the same Tailnet.

EDIT: Doing a curl for the second time returns the proper certificate and connects.

EDIT 2: The mobile app works perfectly (tested on Samsung Galaxy M34 5G running Android 15) even though it's a bit slow (probably has to do with my home network). I'm starting to assume this is a problem at curl's/OpenSSL's end.

kurtbahartr Oct 25, 2025

After doing some work, I found the problem and the solution:

Zapret, a software used to bypass deep packet inspection, causes this. Stopping it when wanting to use my NC instance is the only workaround I could think of.

sdare · 2025-08-25T19:15:46Z

sdare
Aug 25, 2025

Hello! I can attest that this guide & process, as written, got me up and running. Thanks @flll!

Can endorse many of the tips given in this thread:

Yes, you're setting up a tailnet, so all the bits have to be on your tailnet (your docker host, your client system, etc.) for this all to work. May SEEM obvious, but good to keep in front of your mind (since there is a lot a play here!)
Yes, because of this, 'normal' app integration (like Nextcloud Office) may not work out-of-the-box. This was OK for me because I just wanted a solid Nextcloud bare-bones setup...
Yes, during initial setups it make take Tailscale a couple minutes 'catch up', especially with all the certificate and domain validation stuff going on. Don't freak out, like I did, and start tearing everything apart :)

I still have the reported issue of 'breaking after cold host reboot', due to Caddy starting BEFORE Apache & having to 'manually' restart the caddy contain to fix. Any elegant tips appreciated :)

I had fun learning even more about Nextcloud (10+ year user!) & look forward to trying some of the other configs suggested by @A4alli & @patrick-theprogrammer

Cheers to one of the best communities in the open-source world!

3 replies

GuillermoFidalgo Aug 26, 2025

I'm having issues getting started. I did have it up and running for a month but yesterday after updating the containers everything seemed to break and I get the same logs as documented in #6788
any ideas?

eliasamaral Aug 26, 2025

Stop the containers, try deleting the master container, and reinstalling it. This won't erase your data.

GuillermoFidalgo Aug 27, 2025

Tried.. I made a new thread with more details
#6793

CaesarRapose · 2025-08-29T09:43:53Z

CaesarRapose
Aug 29, 2025

Hello i used the above instruction to run nextcloud in docker using tailscale and i am having an issue where either nextcloud_aio_apache works or the domaincheck works has anybody faced such a issue and is there anyway to solve this

5 replies

CaesarRapose Aug 29, 2025

This is my docker-compose.yaml file:
`services:
nextcloud-aio-mastercontainer:
image: ghcr.io/nextcloud-releases/all-in-one:beta
init: true
restart: always
container_name: nextcloud-aio-mastercontainer # This line cannot be changed
volumes:
- nextcloud_aio_mastercontainer:/mnt/docker-aio-config
- /var/run/docker.sock:/var/run/docker.sock:ro
networks:
- nextcloud-aio
ports:
- 0.0.0.0:8080:8080
environment:
APACHE_PORT: 11000
APACHE_IP_BINDING: 127.0.0.1
SKIP_DOMAIN_VALIDATION: true

caddy:
build:
context: .
dockerfile: Caddy.Dockerfile
depends_on:
tailscale:
condition: service_healthy
restart: unless-stopped
environment:
NC_DOMAIN: # Change to your domain ending with .ts.net
volumes:
- type: bind
source: ./Caddyfile
target: /etc/caddy/Caddyfile
- type: volume
source: caddy_certs
target: /certs
- type: volume
source: caddy_data
target: /data
- type: volume
source: caddy_config
target: /config
- type: volume
source: tailscale_sock
target: /var/run/tailscale/ # Mount the volume for /var/run/tailscale/tailscale.sock
read_only: true
network_mode: service:tailscale

tailscale:
image: tailscale/tailscale:v1.82.0
environment:
TS_HOSTNAME: # Your tailnet hostname
TS_AUTH_KEY: # Your OAuth client key
TS_EXTRA_ARGS: # Required for OAuth client
init: true
healthcheck:
test: tailscale status --peers=false --json | grep 'Online.*true'
start_period: 3s
interval: 1s
retries: 3
restart: unless-stopped
devices:
- /dev/net/tun:/dev/net/tun
volumes:
- type: volume
source: tailscale
target: /var/lib/tailscale
- type: volume
source: tailscale_sock
target: /tmp # Mount entire /tmp folder to access tailscale.sock
cap_add:
- NET_ADMIN
networks:
- nextcloud-aio

volumes:
nextcloud_aio_mastercontainer:
name: nextcloud_aio_mastercontainer # This line cannot be changed
caddy_certs:
caddy_config:
caddy_data:
tailscale:
tailscale_sock:

networks:
nextcloud-aio:
name: nextcloud-aio
driver: bridge
enable_ipv6: false
driver_opts:
com.docker.network.driver.mtu: "1280" # Can be set to 9001 for jumbo frames
com.docker.network.bridge.host_binding_ipv4: "127.0.0.1" # Security hardening
com.docker.network.bridge.enable_icc: "true"
com.docker.network.bridge.default_bridge: "false"
com.docker.network.bridge.enable_ip_masquerade: "true"
`
This is my caddyfile:

`{
layer4 {
127.0.0.1:3478 {
route {
proxy {
upstream nextcloud-aio-talk:3478
}
}
}
127.0.0.1:3479 {
route {
proxy {
upstream nextcloud-aio-talk:3479
}
}
}
}
}

https://{$NC_DOMAIN} {
reverse_proxy nextcloud-aio-apache:11000 {
header_up X-Forwarded-Proto "https"
header_up Host {host}
}
}

http://{$NC_DOMAIN} {
reverse_proxy nextcloud-aio-apache:11000 {
header_up X-Forwarded-Proto "http"
header_up Host {host}`

and this is my caddy.dockerfile:
FROM caddy:2.9.1-builder-alpine AS builder RUN xcaddy build --with github.com/mholt/caddy-l4@87e3e5e2c7f986b34c0df373a5799670d7b8ca03

FROM caddy:2.9.1-alpine
COPY --from=builder /usr/bin/caddy /usr/bin/caddy

I am new to devops and dont know much and am trying to learn by doing a few projects i haven't used docker much, I would appreciate if someone could help me

eliasamaral Aug 29, 2025

What are the error logs?

CaesarRapose Aug 29, 2025

this is from nextcloud-aio-nextcloud container
Failed to fetch discovery endpoint from https://nextcloud.tail6c5f4d.ts.net⁠

cURL error 6: Could not resolve host: nextcloud.tail6c5f4d.ts.net (see https://curl.haxx.se/libcurl/c/libcurl-errors.html)⁠) for https://nextcloud.tail6c5f4d.ts.net/hosting/discovery⁠

This is from the domain check container
2025-08-29 08:46:12: (../src/server.c.1974) server started (lighttpd/1.4.79)

2025-08-29 09:14:01: (../src/server.c.1974) server started (lighttpd/1.4.79)

2025-08-29 09:23:57: (../src/server.c.1974) server started (lighttpd/1.4.79)

2025-08-29 09:25:47: (../src/server.c.1974) server started (lighttpd/1.4.79)

2025-08-29 09:32:11: (../src/server.c.469) warning: clock jumped -10 secs

2025-08-29 09:32:42: (../src/server.c.469) warning: clock jumped -10 secs

2025-08-29 09:40:07: (../src/server.c.469) warning: clock jumped -8 secs

2025-08-29 09:40:39: (../src/server.c.469) warning: clock jumped -9 secs

2025-08-29 09:48:34: (../src/server.c.469) warning: clock jumped -10 secs

2025-08-29 09:49:05: (../src/server.c.469) warning: clock jumped -8 secs

2025-08-29 09:50:10: (../src/server.c.469) warning: clock jumped -9 secs

and this is from the apache container:
[Fri Aug 29 09:24:26.090222 2025] [core:notice] [pid 39:tid 39] AH00094: Command line: '/usr/local/apache2/bin/httpd -D FOREGROUND'

{"level":"info","ts":1756459466.0992055,"msg":"maxprocs: Leaving GOMAXPROCS=12: CPU quota undefined"}

{"level":"info","ts":1756459466.0994062,"msg":"GOMEMLIMIT is updated","package":"github.com/KimMachineGun/automemlimit/memlimit","GOMEMLIMIT":15028903526,"previous":9223372036854775807}

{"level":"info","ts":1756459466.099443,"msg":"using config from file","file":"/tmp/Caddyfile"}

{"level":"info","ts":1756459466.1004293,"msg":"adapted config to JSON","adapter":"caddyfile"}

{"level":"info","ts":1756459466.1047525,"msg":"serving initial configuration"}

Waiting for Nextcloud to start...

nc: getaddrinfo for host "nextcloud-aio-nextcloud" port 9000: Name does not resolve

Waiting for Nextcloud to start...

nc: getaddrinfo for host "nextcloud-aio-nextcloud" port 9000: Name does not resolve

Waiting for Nextcloud to start...

Connection to nextcloud-aio-nextcloud (172.18.0.4) 9000 port [tcp/*] succeeded!

/usr/lib/python3.12/site-packages/supervisor/options.py:13: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html.⁠ The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.

import pkg_resources

{"level":"info","ts":1756465766.429573,"msg":"maxprocs: Leaving GOMAXPROCS=12: CPU quota undefined"}

{"level":"info","ts":1756465766.429816,"msg":"GOMEMLIMIT is updated","package":"github.com/KimMachineGun/automemlimit/memlimit","GOMEMLIMIT":15028907212,"previous":9223372036854775807}

{"level":"info","ts":1756465766.4298453,"msg":"using config from file","file":"/tmp/Caddyfile"}

{"level":"info","ts":1756465766.4337547,"msg":"adapted config to JSON","adapter":"caddyfile"}

{"level":"info","ts":1756465766.4413805,"msg":"serving initial configuration"}

[Fri Aug 29 11:09:26.441426 2025] [mpm_event:notice] [pid 60:tid 60] AH00489: Apache/2.4.65 (Unix) configured -- resuming normal operations

[Fri Aug 29 11:09:26.441491 2025] [core:notice] [pid 60:tid 60] AH00094: Command line: '/usr/local/apache2/bin/httpd -D FOREGROUND

eliasamaral Aug 29, 2025

Nextcloud needs to access https://nextcloud.tail6c5f4d.ts.net/hosting/discovery to retrieve some information.

Make sure this happens.
Check if your host is also on your Tailscale network.

Access it via a browser and see if it returns an xlm.

ps: Use Markdown syntax to help us with logs. ;)

CaesarRapose Aug 29, 2025

noted i will use the markdown syntax, i checked by going at the link it doesnt return a xlm file so i re did the entire process and removed talk it worked thank you

balents · 2025-08-29T20:09:08Z

balents
Aug 29, 2025

Sorry if this is too much of a newbie question, but how would I set the data directory to store everything on a mounted connected drive, say "/mnt/mydrive"?

3 replies

GuillermoFidalgo Aug 29, 2025

In your compose.yml file set something like this

environment: 
      NEXTCLOUD_DATADIR: /mnt/my_drive # Allows to set the host directory for Nextcloud's datadir. ⚠️⚠️⚠️ Warning: do not set or adjust this value after the initial Nextcloud installation is done! See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir
      # NEXTCLOUD_MOUNT: /mnt/ # Allows the Nextcloud container to access the chosen directory on the host. See https://github.com/nextcloud/all-in-one#how-to-allow-the-nextcloud-container-to-access-directories-on-the-host

You may want to also define a volume for it.

So your compose.yml might have the following

services:
  nextcloud-aio-mastercontainer:
    image: ghcr.io/nextcloud-releases/all-in-one:latest
   
    # some text here 
    
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /mnt/my_mydrive:/var/www/html
   
    # more text here

    environment:
      APACHE_PORT: 11000
      APACHE_IP_BINDING: '127.0.0.1'
      SKIP_DOMAIN_VALIDATION: 'true'
      NEXTCLOUD_DATADIR: "/mnt/my_drive"

# skipping lots of text here 


volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer # This line cannot be changed.
  caddy_certs:
  caddy_config:
  caddy_data:
  tailscale:
  tailscale_sock:
  my_drive:

Also you can check the example compose.yml file https://github.com/nextcloud/all-in-one/blob/main/compose.yaml#L25-L26
for more ideas

balents Aug 30, 2025

thanks! This is very helpful. I'll see how it goes.

balents Sep 2, 2025

FYI I managed to get it almost all running, following this guidance. I also reformatted the external drive to ext4 which fixed a lot of permissions issues. Now it is all working except collabora. To be honest, I don't even really know how I am supposed to be able to use collabora, but while the container is running it is throwing this to the log file:

2025-09-02T17:10:23.643514415Z wsd-00007-00011 2025-09-02 17:10:23.643412 +0000 [ asyncdns ] ERR Failed to lookup host [nextcloud.polydactyl-vibes.ts.net]: No address associated with hostname (EAGAIN: Resource temporarily unavailable)| net/NetUtil.cpp:108
2025-09-02T17:10:23.643614527Z wsd-00007-00026 2025-09-02 17:10:23.643519 +0000 [ remotefontconfig_poll ] ERR Failed to lookup host [nextcloud.polydactyl-vibes.ts.net]. Skipping (0: Success)| net/NetUtil.cpp:622
2025-09-02T17:10:23.643668119Z wsd-00007-00026 2025-09-02 17:10:23.643539 +0000 [ remotefontconfig_poll ] ERR #-1: Failed to connect to nextcloud.polydactyl-vibes.ts.net:443| net/HttpRequest.hpp:1590
2025-09-02T17:10:23.643675619Z wsd-00007-00026 2025-09-02 17:10:23.643566 +0000 [ remotefontconfig_poll ] ERR Remote config server has response status code: 0 (Unknown)| wsd/RemoteConfig.cpp:133

I also followed the steps here: #1358
and got this output:

sudo docker exec -it nextcloud-aio-nextcloud bash
Warning: You have logged in into the Nextcloud container as root user.
See https://github.com/nextcloud/all-in-one#how-to-run-occ-commands if you want to run occ commands.
Apart from that, you can use 'sudo -E -u www-data php occ ' in order to run occ commands.
Of course needs to be substituted with the command that you want to use.
nextcloud-aio-nextcloud:/var/www/html# curl -vvv https://$NC_DOMAIN:443/hosting/discovery
17:18:48.952255 [0-x] == Info: [READ] client_reset, clear readers
17:18:48.975880 [0-0] == Info: Could not resolve host: nextcloud.polydactyl-vibes.ts.net
17:18:48.975973 [0-x] == Info: shutting down connection #0
curl: (6) Could not resolve host: nextcloud.polydactyl-vibes.ts.net
nextcloud-aio-nextcloud:/var/www/html# exit
exit

I'm grateful for any hints on where to start.

bpeters504 · 2025-09-02T17:04:42Z

bpeters504
Sep 2, 2025

This is an excellent guide, but I've followed it exactly and I can't get Collabora to work. The only way I can get the Office config to go green is by using the collabora container's name (http://nextcloud-aio-collabora:9980) once I save that it goes green and shows both the browser URL and nextcloud url used by collabora are my tailnet url. Then I browse to files>Documents and click on the "Welcome to Nextcloud Hub.docx" and I get:

Looking at the collabora logs I see "ERR Failed to lookup host [nextcloud.]: No address associated with hostname "

Any help would be greatly appreciated.

Thank you,
-Bill

5 replies

bpeters504 Sep 3, 2025

I just saw a comment above from @eliasamaral that said the host needs to be on the tailnet. This was not mentioned in the guide. I just added the host to the tailnet and stopped all the AIO containers and did a docker compose down and docker compose up --build --pull always --wait then started the AIO containers and Collabora worked!

It should be clearly said that:

Your host needs to be on your Tailnet.

-Bill

eliasamaral Sep 3, 2025

Although simple, I noticed that some people run into this situation. I thought about opening an issue to add it to the step-by-step guide, but I’m not sure if that’s the best approach. Maybe @flll could update the guide to make this clearer.

balents Sep 3, 2025

I just saw a comment above from @eliasamaral that said the host needs to be on the tailnet. This was not mentioned in the guide. I just added the host to the tailnet and stopped all the AIO containers and did a docker compose down and docker compose up --build --pull always --wait then started the AIO containers and Collabora worked!

It should be clearly said that:

Your host needs to be on your Tailnet.

-Bill

Hi @bpeters504 , I'm very much a newbie, but that comment was for me. Can you say how you stopped all the AIO containers, and in which directory you need to be for the docker compose down etc? It needs to see a compose.yml I presume? I want to try it before I do a full reinstall.

Thanks,

Leon

bpeters504 Sep 3, 2025

@balents When I say stop the AIO containers, I mean the containers that are started (and stopped) by clicking the button on the containers page. To get there you can go to Administration Settings and at the top of the Overview, you will see a link "Open Nextcloud AIO Interface."

That will take you to a page where you can stop/start the AIO containers.

You can bookmark that page for easy access. Then to stop the primary containers, you need to be in the directory that has you docker-compose.yml file and run the command sudo docker compose down Then to start everything up again, in that same directory run sudo docker compose up --build --pull always --wait then again browse to the AIO page and click the button to start the containers.

Hope that helps,
-Bill

balents Sep 3, 2025

Thanks @bpeters504 . That is what I guessed, and it worked! Remarkable. Thanks so much!

Leon

balents · 2025-09-02T22:02:47Z

balents
Sep 2, 2025

Hi, I had some great advice earlier. With it, I now have everything working except collabora. To be honest, I don't even really know how I am supposed to be able to use collabora, but although the container is running it is throwing this to the log file:

2025-09-02T17:10:23.643514415Z wsd-00007-00011 2025-09-02 17:10:23.643412 +0000 [ asyncdns ] ERR Failed to lookup host [nextcloud.polydactyl-vibes.ts.net]: No address associated with hostname (EAGAIN: Resource temporarily unavailable)| net/NetUtil.cpp:108
2025-09-02T17:10:23.643614527Z wsd-00007-00026 2025-09-02 17:10:23.643519 +0000 [ remotefontconfig_poll ] ERR Failed to lookup host [nextcloud.polydactyl-vibes.ts.net]. Skipping (0: Success)| net/NetUtil.cpp:622
2025-09-02T17:10:23.643668119Z wsd-00007-00026 2025-09-02 17:10:23.643539 +0000 [ remotefontconfig_poll ] ERR #-1: Failed to connect to nextcloud.polydactyl-vibes.ts.net:443| net/HttpRequest.hpp:1590
2025-09-02T17:10:23.643675619Z wsd-00007-00026 2025-09-02 17:10:23.643566 +0000 [ remotefontconfig_poll ] ERR Remote config server has response status code: 0 (Unknown)| wsd/RemoteConfig.cpp:133

This "nextcloud.polydactyl-vibes.ts.net" is of course my tailnet.

I also followed the steps here: #1358
and got this output:

sudo docker exec -it nextcloud-aio-nextcloud bash
Warning: You have logged in into the Nextcloud container as root user.
See https://github.com/nextcloud/all-in-one#how-to-run-occ-commands if you want to run occ commands.
Apart from that, you can use 'sudo -E -u www-data php occ ' in order to run occ commands.
Of course needs to be substituted with the command that you want to use.
nextcloud-aio-nextcloud:/var/www/html# curl -vvv https://$NC_DOMAIN:443/hosting/discovery
17:18:48.952255 [0-x] == Info: [READ] client_reset, clear readers
17:18:48.975880 [0-0] == Info: Could not resolve host: nextcloud.polydactyl-vibes.ts.net
17:18:48.975973 [0-x] == Info: shutting down connection #0
curl: (6) Could not resolve host: nextcloud.polydactyl-vibes.ts.net
nextcloud-aio-nextcloud:/var/www/html# exit
exit

I'm grateful for any hints on where to start.

Thanks,

Leon

14 replies

balents Sep 3, 2025

and

eliasamaral Sep 3, 2025

To confirm that DNS resolution is working, run nslookup nextcloud.polydactyl-vibes.ts.net.

Check if the Address: matches what is shown in the admin console.

balents Sep 3, 2025

This is what I get (outside the container):

balents@pisquared:/opt/stacks/nextcloud $ nslookup nextcloud.polydactyl-vibes.ts.net
Server:		100.100.100.100
Address:	100.100.100.100#53

Name:	nextcloud.polydactyl-vibes.ts.net
Address: 100.87.177.36

and inside the container:

balents@pisquared:/opt/stacks/nextcloud $ docker exec -it nextcloud-aio-nextcloud bash
Warning: You have logged in into the Nextcloud container as root user.
See https://github.com/nextcloud/all-in-one#how-to-run-occ-commands if you want to run occ commands.
Apart from that, you can use 'sudo -E -u www-data php occ <your-command>' in order to run occ commands.
Of course <your-command> needs to be substituted with the command that you want to use.
nextcloud-aio-nextcloud:/var/www/html# nslookup nextcloud.polydactyl-vibes.ts.net
Server:		127.0.0.11
Address:	127.0.0.11#53

Non-authoritative answer:
*** Can't find nextcloud.polydactyl-vibes.ts.net: No answer

eliasamaral Sep 3, 2025

So we have another problem to solve. DNS resolution should also work inside your container.

Since you installed Tailscale after the containers, let’s do the basics: create a fresh installation. Remember to remove the networks so Docker can create new ones.

balents Sep 3, 2025

@eliasamaral Thanks so much for your help. I saw the comment from @bpeters504 and tried that, and it worked! Not only did many many errors go away from the admin pages, I successfully opened a word document, and made a spreadsheet. There is quite a bit of lag so maybe I'll look into that but still getting tailscale running on the host seems to have been the key. Thanks again!

Leon

balents · 2025-09-02T22:49:16Z

balents
Sep 2, 2025

OK, done. Do I just now try to restart or should I check something? Leon

…

-- Leon Balents ***@***.***

On Tue, Sep 2, 2025, at 3:43 PM, Elias Severiano Amaral wrote: You need your host to also be on the Tailscale network. If you are using Ubuntu, go to https://login.tailscale.com/admin/machines/new-linux and follow the step-by-step instructions. — Reply to this email directly, view it on GitHub <#5439 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ADHFI43UILUJPTAJQLT72L33QYMQDAVCNFSM6AAAAABQGBXP2KVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTIMRZGAZDAOI>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

2 replies

eliasamaral Sep 2, 2025

repeat the commands in the terminal

systemctl status tailscaled

balents Sep 2, 2025

I guess you mean this:

balents@pisquared:/opt/stacks/nextcloud $ systemctl status tailscaled

● tailscaled.service - Tailscale node agent
     Loaded: loaded (/lib/systemd/system/tailscaled.service; enabled; preset: enabled)
     Active: active (running) since Tue 2025-09-02 15:46:23 PDT; 11min ago
       Docs: https://tailscale.com/kb/
   Main PID: 511737 (tailscaled)
     Status: "Connected; balents@github; 100.112.184.66 fd7a:115c:a1e0::5401:b864"
      Tasks: 12 (limit: 9573)
        CPU: 1.101s
     CGroup: /system.slice/tailscaled.service
             └─511737 /usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/t>

Sep 02 15:51:06 pisquared tailscaled[511737]: monitor: RTM_NEWROUTE: src=, dst=fda0:b59f:9f48:1::/64, gw=, outif>
Sep 02 15:51:06 pisquared tailscaled[511737]: monitor: RTM_DELROUTE: src=, dst=fda0:b59f:9f48:1::/64, gw=fe80::8>
Sep 02 15:51:06 pisquared tailscaled[511737]: monitor: RTM_NEWROUTE: src=, dst=fda0:b59f:9f48:1::/64, gw=, outif>
Sep 02 15:51:06 pisquared tailscaled[511737]: monitor: RTM_DELROUTE: src=, dst=fda0:b59f:9f48:1::/64, gw=fe80::9>
Sep 02 15:54:07 pisquared tailscaled[511737]: monitor: RTM_NEWROUTE: src=, dst=fda0:b59f:9f48:1::/64, gw=, outif>
Sep 02 15:54:07 pisquared tailscaled[511737]: monitor: RTM_DELROUTE: src=, dst=fda0:b59f:9f48:1::/64, gw=fe80::8>
Sep 02 15:54:59 pisquared tailscaled[511737]: monitor: RTM_NEWROUTE: src=, dst=fda0:b59f:9f48:1::/64, gw=, outif>
Sep 02 15:54:59 pisquared tailscaled[511737]: monitor: RTM_DELROUTE: src=, dst=fda0:b59f:9f48:1::/64, gw=fe80::9>
Sep 02 15:57:27 pisquared tailscaled[511737]: monitor: RTM_NEWROUTE: src=, dst=fda0:b59f:9f48:1::/64, gw=, outif>
Sep 02 15:57:27 pisquared tailscaled[511737]: monitor: RTM_DELROUTE: src=, dst=fda0:b59f:9f48:1::/64, gw=fe80::8>
lines 1-21/21 (END)

balents · 2025-09-02T22:57:53Z

balents
Sep 2, 2025

Within the container? If yes, then the result did not change.

…

-- Leon Balents ***@***.***

On Tue, Sep 2, 2025, at 3:54 PM, Elias Severiano Amaral wrote: repeat the commands in the terminal — Reply to this email directly, view it on GitHub <#5439 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ADHFI44BY2G6CS43PCD4P7D3QYNZPAVCNFSM6AAAAABQGBXP2KVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTIMRZGAZDMNA>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

0 replies

balents · 2025-09-03T20:15:51Z

balents
Sep 3, 2025

I am running collabora in nextcloud aio following this guide and with help from this forum.H appily it works but the performance is very slow and laggy. I wonder if there is a fix? I loaded a .docx file and copied the collabora log that resulted below. There is a line about performance: To restore optimal performance, make sure the files in [/opt/cool/systemplate/etc] are up-to-date. Full paste below.

Leon

2025-09-03T20:10:19.589816434Z frk-00013-00013 2025-09-03 20:10:19.589688 +0000 [ forkit ] WRN  The systemplate directory [/opt/cool/systemplate] is read-only, and at least [/opt/cool/systemplate//etc/passwd] is out-of-date. Will have to clone dynamic elements of systemplate to the jails. To restore optimal performance, make sure the files in [/opt/cool/systemplate/etc] are up-to-date.| common/JailUtil.cpp:586
2025-09-03T20:10:19.601044514Z kit-04299-04299 2025-09-03 20:10:19.600917 +0000 [ kit_spare_027 ] ERR  Failed to stat or chown 65534:65534 /opt/cool/child-roots/7-4621c22c//linkable/opt/cool/systemplate/etc/ssl/certs/ca-certificates.crt: Invalid argument missing cap_chown?, disabling linkable| kit/Kit.cpp:459
2025-09-03T20:10:19.601679090Z kit-04299-04299 2025-09-03 20:10:19.601011 +0000 [ kit_spare_027 ] ERR  link("/opt/cool/systemplate/etc/ssl/certs/ca-certificates.crt", "/opt/cool/child-roots/7-4621c22c/qCWMax5OiPILszOl/etc/ssl/certs/ca-certificates.crt") failed: Invalid argument. Very slow copying path triggered.| kit/Kit.cpp:475
2025-09-03T20:10:20.043922175Z wsd-00007-04298 2025-09-03 20:10:20.043613 +0000 [ docbroker_00c ] WRN  #36: Socket still open post onDisconnect(), forced shutdown.| net/Socket.hpp:1272
2025-09-03T20:10:20.046906163Z notcoolmount: unmount failed to detach [/opt/cool/child-roots/7-4621c22c/OgOTTpt2iNAQvwpc/lo]: Operation not permitted.
2025-09-03T20:10:20.047970073Z notcoolmount: forced unmount of [/opt/cool/child-roots/7-4621c22c/OgOTTpt2iNAQvwpc/lo] failed: Operation not permitted.
2025-09-03T20:10:20.054032790Z wsd-00007-00012 2025-09-03 20:10:20.053506 +0000 [ prisoner_poll ] WRN  #45: Socket still open post onDisconnect(), forced shutdown.| net/Socket.hpp:1272
2025-09-03T20:10:25.577504698Z frk-00013-00013 2025-09-03 20:10:25.577019 +0000 [ forkit ] WRN  The systemplate directory [/opt/cool/systemplate] is read-only, and at least [/opt/cool/systemplate//etc/passwd] is out-of-date. Will have to clone dynamic elements of systemplate to the jails. To restore optimal performance, make sure the files in [/opt/cool/systemplate/etc] are up-to-date.| common/JailUtil.cpp:586
2025-09-03T20:10:25.584966066Z kit-04336-04336 2025-09-03 20:10:25.584833 +0000 [ kit_spare_028 ] ERR  Failed to stat or chown 65534:65534 /opt/cool/child-roots/7-4621c22c//linkable/opt/cool/systemplate/etc/ssl/certs/ca-certificates.crt: Invalid argument missing cap_chown?, disabling linkable| kit/Kit.cpp:459
2025-09-03T20:10:25.585014159Z kit-04336-04336 2025-09-03 20:10:25.584944 +0000 [ kit_spare_028 ] ERR  link("/opt/cool/systemplate/etc/ssl/certs/ca-certificates.crt", "/opt/cool/child-roots/7-4621c22c/wz6871QSqGHR00Qu/etc/ssl/certs/ca-certificates.crt") failed: Invalid argument. Very slow copying path triggered.| kit/Kit.cpp:475
2025-09-03T20:10:25.953598100Z wsd-00007-04335 2025-09-03 20:10:25.953287 +0000 [ docbroker_00d ] WRN  #17: Socket still open post onDisconnect(), forced shutdown.| net/Socket.hpp:1272
2025-09-03T20:10:25.955194733Z notcoolmount: unmount failed to detach [/opt/cool/child-roots/7-4621c22c/mG65Zjaf9duvJ8QL/lo]: Operation not permitted.
2025-09-03T20:10:25.955212956Z notcoolmount: forced unmount of [/opt/cool/child-roots/7-4621c22c/mG65Zjaf9duvJ8QL/lo] failed: Operation not permitted.
2025-09-03T20:10:36.162185938Z frk-00013-04373 2025-09-03 20:10:36.162039 +0000 [ subforkit_003 ] WRN  The systemplate directory [/opt/cool/systemplate] is read-only, and at least [/opt/cool/systemplate//etc/passwd] is out-of-date. Will have to clone dynamic elements of systemplate to the jails. To restore optimal performance, make sure the files in [/opt/cool/systemplate/etc] are up-to-date.| common/JailUtil.cpp:586
2025-09-03T20:10:36.166892263Z frk-00013-04373 2025-09-03 20:10:36.166732 +0000 [ subforkit_003 ] WRN  The systemplate directory [/opt/cool/systemplate] is read-only, and at least [/opt/cool/systemplate//etc/passwd] is out-of-date. Will have to clone dynamic elements of systemplate to the jails. To restore optimal performance, make sure the files in [/opt/cool/systemplate/etc] are up-to-date.| common/JailUtil.cpp:586
2025-09-03T20:10:36.167747320Z kit-04374-04374 2025-09-03 20:10:36.167598 +0000 [ kit_spare_029 ] ERR  Failed to stat or chown 65534:65534 /opt/cool/child-roots/7-4621c22c//linkable/opt/cool/systemplate/etc/ssl/certs/ca-certificates.crt: Invalid argument missing cap_chown?, disabling linkable| kit/Kit.cpp:459
2025-09-03T20:10:36.167807320Z kit-04374-04374 2025-09-03 20:10:36.167750 +0000 [ kit_spare_029 ] ERR  link("/opt/cool/systemplate/etc/ssl/certs/ca-certificates.crt", "/opt/cool/child-roots/7-4621c22c/py0AFgMFWJOXqvk6/etc/ssl/certs/ca-certificates.crt") failed: Invalid argument. Very slow copying path triggered.| kit/Kit.cpp:475
2025-09-03T20:10:36.174024630Z kit-04375-04375 2025-09-03 20:10:36.173783 +0000 [ kit_spare_02a ] ERR  Failed to stat or chown 65534:65534 /opt/cool/child-roots/7-4621c22c//linkable/opt/cool/systemplate/etc/ssl/certs/ca-certificates.crt: Invalid argument missing cap_chown?, disabling linkable| kit/Kit.cpp:459
2025-09-03T20:10:36.174522557Z kit-04375-04375 2025-09-03 20:10:36.174152 +0000 [ kit_spare_02a ] ERR  link("/opt/cool/systemplate/etc/ssl/certs/ca-certificates.crt", "/opt/cool/child-roots/7-4621c22c/Sj1iL8rViqHujkwn/etc/ssl/certs/ca-certificates.crt") failed: Invalid argument. Very slow copying path triggered.| kit/Kit.cpp:475
2025-09-03T20:10:39.223813245Z kit-04375-04375 2025-09-03 20:10:39.223691 +0000 [ kit_spare_02a ] WRN  Linking/copying files from /opt/collaboraoffice to /opt/cool/child-roots/7-4621c22c/Sj1iL8rViqHujkwn/lo/ is taking too much time. Enabling verbose link/copy logging.| kit/Kit.cpp:505
2025-09-03T20:10:39.227972254Z kit-04374-04374 2025-09-03 20:10:39.227903 +0000 [ kit_spare_029 ] WRN  Linking/copying files from /opt/collaboraoffice to /opt/cool/child-roots/7-4621c22c/py0AFgMFWJOXqvk6/lo/ is taking too much time. Enabling verbose link/copy logging.| kit/Kit.cpp:505

1 reply

anon92576-hue Dec 11, 2025

Yah facing the same issue. Collabora is slow. Did you manage to fix it?

wbrmdz · 2025-09-04T22:45:25Z

wbrmdz
Sep 4, 2025

I got two questions.

Question #1, would it be better to update the docker compose config above to explicitly define the ephemeral and preauthorized parameters? I have Tailscale Lock enabled and every time the container restarts, since it tis ephemeral I have to go sign it to allow traffic to it. I think preauthorized=true solves that issue.

TS_AUTH_KEY: tskey-client-kXGGbs6CNTRL?ephemeral=false&preauthorized=true

Question #2, I'm trying to share the nextcloud node with another tailnet (not inviting the user to my tailnet, but instead just sharing the node with them). The issue is that since the container/node is ephemeral, every time the container restarts and deletes the node and creates a new one. This causes the need to create a new node invitation link and go through the whole process again.

If the docker compose is set with the ephemeral key set to true, it still doesn't solve the issue as when the container reboots it still create a new node.

Any suggestions on how this can be solved?

2 replies

Nysferatu Dec 31, 2025

Hey,

Might be a little late for you, but maybe someone else finds it useful.
You can use a simple auth key if you want instead of oath, it won't be ephemeral any more.
To "reconnect" to the existing (now not ephemeral) nextcloud machine instead of creating new ones, add TS_STATE_DIR: /var/lib/tailscale to your tailscale service's environment:

...
ts-nextcloud:
    image: tailscale/tailscale:latest
    container_name: ts-nextcloud
    environment:
      TS_HOSTNAME: nextcloud
      TS_AUTH_KEY: your_authkey # Not Oauth
      TS_STATE_DIR: /var/lib/tailscale
...

You may need to first wipe the tailscale volume mapped to /var/lib/tailscale .

Following these steps you should have a permanent machine that you can share and will be re-used after container restart.

Andrei-Voicea Jan 17, 2026

If I use a simple auth key, will I need to replace it in the future (for example every 3 months)? @Nysferatu

g0lg0th · 2025-09-14T15:26:47Z

g0lg0th
Sep 14, 2025

Hello,
I get an error related to Caddy.Dockerfile:

 => ERROR [builder 2/2] RUN xcaddy build --with github.com/mholt/caddy-l4@87e3e5e2c7f986b34c0df373a5799670d7b8ca03                                      0.8s
------                                                                                                                                                       
 > [builder 2/2] RUN xcaddy build --with github.com/mholt/caddy-l4@87e3e5e2c7f986b34c0df373a5799670d7b8ca03:                                                 
0.114 2025/09/14 15:17:45 [INFO] absolute output file path: /usr/bin/caddy                                                                                   
0.117 2025/09/14 15:17:45 [INFO] Temporary folder: /tmp/buildenv_2025-09-14-1517.654855134                                                                   
0.117 2025/09/14 15:17:45 [INFO] Writing main module: /tmp/buildenv_2025-09-14-1517.654855134/main.go                                                        
0.117 package main                                                                                                                                           
0.117 
0.117 import (
0.117   caddycmd "github.com/caddyserver/caddy/v2/cmd"
0.117 
0.117   // plug in Caddy modules here
0.117   _ "github.com/caddyserver/caddy/v2/modules/standard"
0.117   _ "github.com/mholt/caddy-l4"
0.117 )
0.117 
0.117 func main() {
0.117   caddycmd.Main()
0.117 }
0.117 2025/09/14 15:17:45 [INFO] Initializing Go module
0.117 2025/09/14 15:17:45 [INFO] exec (timeout=0s): /usr/local/go/bin/go mod init caddy 
0.120 go: creating new go.mod: module caddy
0.122 go: to add module requirements and sums:
0.122   go mod tidy
0.123 2025/09/14 15:17:45 [INFO] Pinning versions
0.123 2025/09/14 15:17:45 [INFO] exec (timeout=0s): /usr/local/go/bin/go get -v github.com/caddyserver/caddy/v2@v2.9.1 
0.124 go: github.com/caddyserver/caddy/v2@v2.9.1: Get "https://proxy.golang.org/github.com/caddyserver/caddy/v2/@v/v2.9.1.info": dial tcp: lookup proxy.golang.org on [fd0f:ee:b0::1]:53: dial udp [fd0f:ee:b0::1]:53: connect: network is unreachable
0.125 2025/09/14 15:17:45 [FATAL] exit status 1
------
Caddy.Dockerfile:2

--------------------

   1 |     FROM caddy:2.9.1-builder-alpine AS builder

   2 | >>> RUN xcaddy build --with github.com/mholt/caddy-l4@87e3e5e2c7f986b34c0df373a5799670d7b8ca03

   3 |     

   4 |     FROM caddy:2.9.1-alpine

--------------------

failed to solve: process "/bin/sh -c xcaddy build --with github.com/mholt/caddy-l4@87e3e5e2c7f986b34c0df373a5799670d7b8ca03" did not complete successfully: exit code: 1

0 replies

FatiguedEndUser · 2025-10-11T23:02:09Z

FatiguedEndUser
Oct 11, 2025

So the guide worked! However my nextcloud-domaincheck container is refusing to start because its saying port 1100 is already bound to another container. (Ive only used that port for nextcloud but i used it in other attempts to get this working.) Here is the error message:

Failed starting container: failed to set up container networking: driver failed programming external connectivity on endpoint nextcloud-aio-domaincheck (64492eedcc06be0b150251e65d03d8d5a2cecbabb62ffcb835bb113fcae18e58): Bind for 127.0.0.1:11000 failed: port is already allocated

I dont know if i should remove all the containers for nextcloud look into my docker network ID's and remove the appropriate ones

or should i remove all the docker containers and change the port number to like 1101 and redo the docker container?

Im so close now but nextcloud has been a constant pain in my ass for awhile now. This guide is the only thing thats got me past the initial setup

EDIT:

I took down all the containers changed the port of the apache line to 11001 and every container is now running. However i still cant seem to access my nextcloud. When i hit the AIO pages "Open your nextcloud" the page doesnt load. When i use the docker bridge ip it brings me to the AIO page but says something about automatic login.

0 replies

readytocode71 · 2025-12-30T17:42:07Z

readytocode71
Dec 30, 2025

Hey, thanks for the awesome guide, I've been using it for half a year now and everything works quite smoothly. One question on tailscale though: If I want to update the tailscale inside the docker container how can I do this safely? I tried it once but then I ended up on the nextcloud configuration screen again and wasnt able to reach my instance anymore, although the data was still there, but the setup was not reachable. Any help appreciated!

0 replies

Tailscale (and Caddy as a sidecar) Reverse Proxy #5439

Uh oh!

Uh oh!

flll Oct 18, 2024 Collaborator

🌐 Nextcloud All-in-One with Tailscale Integration Guide

📋 Overview

✨ Key Benefits

🚀 Step 1: Tailscale Configuration

🏷️ 1.1 Copy Your Tailnet Domain Name

🔒 1.2 Enable HTTPS Certificates

🏷️ 1.3 Create Nextcloud Tag in ACL

🔑 1.4 Generate OAuth Client

OAuth Scopes Configuration:

⚙️ Step 2: Environment Variables Setup

🐳 Step 3: Docker Compose Configuration

compose.yml

📝 Step 4: Caddy Configuration Files

4. Create Caddyfile and Caddy.Dockerfile

Caddyfile

🐳 Caddy.Dockerfile

🎯 Step 5: Deploy Nextcloud AIO

🚀 Deployment Steps

🔧 Troubleshooting

❗ If It Doesn't Work

🔄 Docker Reset Commands

🔍 Post-Reset Verification

🙏 Acknowledgments

📅 Latest Updates

Replies: 116 comments · 541 replies

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

This comment has been hidden.

Uh oh!

flll Oct 22, 2024 Collaborator Author

Uh oh!

szaimen Oct 22, 2024 Maintainer

Uh oh!

szaimen Oct 22, 2024 Maintainer

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

flll Oct 25, 2024 Collaborator Author

Uh oh!

flll Oct 25, 2024 Collaborator Author

This comment has been hidden.

Uh oh!

Uh oh!

Uh oh!

flll Oct 24, 2024 Collaborator Author

Uh oh!

Uh oh!

flll Oct 24, 2024 Collaborator Author

Uh oh!

Uh oh!

Uh oh!

flll Oct 25, 2024 Collaborator Author

Uh oh!

flll Oct 25, 2024 Collaborator Author

Uh oh!

Uh oh!

flll
Oct 18, 2024
Collaborator

Replies: 116 comments 541 replies

flll Oct 22, 2024
Collaborator Author

szaimen Oct 22, 2024
Maintainer

szaimen Oct 22, 2024
Maintainer

flll Oct 25, 2024
Collaborator Author

flll Oct 25, 2024
Collaborator Author

flll Oct 24, 2024
Collaborator Author

flll Oct 24, 2024
Collaborator Author

flll Oct 25, 2024
Collaborator Author

flll Oct 25, 2024
Collaborator Author